Description
Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.
Published: 2026-04-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integrity Compromise
Action: Apply Patch
AI Analysis

Impact

A missing authorization check in the SAP S/4HANA OData Service for managing technical object structures allows an attacker to update or delete child entities through exposed OData endpoints. The flaw leads to unauthorized modification of data, resulting in a low-level impact on data integrity, while confidentiality and availability remain unaffected. The weakness is a classic missing authorization control (CWE‑862).

Affected Systems

The affected system is SAP S/4HANA, specifically the OData Service for managing technical object structures. No specific software version details are provided in the report.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity overall, and no EPSS score is available, so the exploitation likelihood is uncertain. Because the vulnerability requires only access to the exposed OData endpoints, an attacker could exploit it from any network segment that can reach those services, assuming no authentication checks are in place. Although the impact on confidentiality and availability is minimal, the ability to alter or delete data could disrupt business processes, warranting prompt attention. The vulnerability is not listed in the CISA KEV catalog, but it still poses an integrity risk that should be mitigated.

Generated by OpenCVE AI on April 14, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply SAP Note 3711682 to patch the OData service and eliminate the missing authorization checks.
  • Verify that only authenticated and authorized users have write or delete rights against the affected OData endpoints.
  • Restrict network access to the OData service, ensuring that only trusted hosts or VPN connections can reach it.
  • If a patch cannot be deployed immediately, consider disabling the exposed OData endpoints or applying temporary configuration filters to block write/delete operations.

Generated by OpenCVE AI on April 14, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap s/4hana
Vendors & Products Sap
Sap s/4hana

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.
Title Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Sap S/4hana
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:18.632Z

Reserved: 2026-02-23T17:50:10.513Z

Link: CVE-2026-27676

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:16.676Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T00:16:05.987

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-27676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:26Z

Weaknesses