Description
Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
Published: 2026-04-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integrity (unauthorized update/delete of child entities)
Action: Patch
AI Analysis

Impact

A missing authorization check in the SAP S/4HANA frontend OData Service for managing reference structures allows an attacker to update and delete child entities without proper permissions. This vulnerability primarily compromises the integrity of the system, as unauthorized modifications can alter critical data while leaving confidentiality and availability intact.

Affected Systems

The affected system is SAP S/4HANA Frontend OData Service (Manage Reference Structures) from SAP. Specific versions are not listed in the advisory, so all installations of this service are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS base score is 6.5, indicating a moderate severity and a medium risk to the affected organization. Exploit probability is not quantified in the EPSS data, and the vulnerability is not currently included in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is network-based, allowing remote exploitation via exposed OData endpoints.

Generated by OpenCVE AI on April 14, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch that restores authorization checks for the Manage Reference Structures OData service.
  • If patching is delayed, limit outbound or inbound network access to the OData endpoints through firewalls or VPNs to prevent unauthorized users from reaching the service.
  • After applying the patch, verify that unauthorized update and delete operations are blocked by testing with a non‑privileged user account.
  • Regularly monitor SAP security advisories and the SAP support portal for additional patches or configuration recommendations.

Generated by OpenCVE AI on April 14, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Sap manage Reference Structures
Sap s\/4hana
CPEs cpe:2.3:a:sap:manage_reference_structures:uis4h_109:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4hana:-:*:*:*:*:*:*:*
Vendors & Products Sap manage Reference Structures
Sap s\/4hana

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap s/4hana
Vendors & Products Sap
Sap s/4hana

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
Title Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Sap Manage Reference Structures S/4hana S\/4hana
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:18.168Z

Reserved: 2026-02-23T17:50:10.513Z

Link: CVE-2026-27679

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:10.501Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T00:16:06.413

Modified: 2026-05-04T14:58:27.130

Link: CVE-2026-27679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:23Z

Weaknesses