Description
Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.
Published: 2026-04-14
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection enabling data compromise and integrity loss
Action: Immediate Patch
AI Analysis

Impact

An authenticated user can employ crafted SQL statements within SAP Business Planning and Consolidation and SAP Business Warehouse because of insufficient authorization checks. This susceptibility allows the attacker to read, modify or delete database records, severely compromising confidentiality, integrity, and availability. The related weakness is CWE‑89, a classic SQL injection flaw.

Affected Systems

SAP Business Planning and Consolidation and SAP Business Warehouse from SAP SE are the affected products. Version information is not disclosed, so the vulnerability could affect multiple releases. Any user with valid credentials who can execute business planning queries is at risk.

Risk and Exploitability

The CVSS score of 9.9 classifies this vulnerability as critical. EPSS data is unavailable, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires authentication but otherwise imposes no further constraints; a legitimate user with compromised credentials could abuse the flaw. No publicly available exploits are reported, yet the high severity warrants immediate attention.

Generated by OpenCVE AI on April 14, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch documented in SAP Note 3719353.
  • Download and install the latest security patches from the SAP Security Patch Day website.
  • If a patch is delayed, restrict privileged user accounts and audit query logs for suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap business Planning And Consolidation
Sap business Warehouse
Vendors & Products Sap
Sap business Planning And Consolidation
Sap business Warehouse

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.
Title SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Sap Business Planning And Consolidation Business Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:18.028Z

Reserved: 2026-02-23T17:50:17.027Z

Link: CVE-2026-27681

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:08.544Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T00:16:06.560

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-27681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:22Z

Weaknesses