Description
Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
Published: 2026-04-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a missing authorization check in the SAP S/4HANA backend OData Service for Manage Reference Structures. Because the service fails to validate user permissions, an attacker can modify or delete child entity records through exposed OData endpoints. This results in a breach of data integrity, allowing unauthorized changes to critical business data. The weakness corresponds to CWE‑862, Unauthorized Access.

Affected Systems

SAP S/4HANA Backend OData Service (Manage Reference Structures) is the impacted product. The CVE specifically references SAP SE’s implementation of this service on the SAP S/4HANA platform. No specific version numbers are supplied, so all deployments of this component may be affected until a fix is applied.

Risk and Exploitability

The CVSS score for this issue is 6.5, indicating a moderately high potential for harm. EPSS data is not available, so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed as a known exploited vulnerability by CISA. An attacker would need network access to the SAP S/4HANA system and appropriate credentials that grant access to the OData interface; once the request is sent, the missing check permits the update or deletion of data without further authorization.

Generated by OpenCVE AI on April 14, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch referenced in SAP Note 3715177 to the SAP S/4HANA backend OData Service.
  • Verify that the authorized roles and permissions are correctly configured for OData access.
  • Restrict network access to the OData service to trusted hosts or VPN users only.
  • Monitor transaction logs for unauthorized create, update, or delete operations on child entities.

Generated by OpenCVE AI on April 14, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap s/4hana
Vendors & Products Sap
Sap s/4hana

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
Title Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Sap S/4hana
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:18.299Z

Reserved: 2026-02-23T17:50:10.513Z

Link: CVE-2026-27678

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:12.551Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T00:16:06.270

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-27678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:24Z

Weaknesses