Description
Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected.
Published: 2026-03-10
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration and control changes leading to potential denial of service
Action: Patch
AI Analysis

Impact

A missing authorization check in the SAP Business Warehouse (Service API) allows an authenticated attacker to invoke an affected RFC function module and execute unauthorized actions. This flaw can be used to alter configuration settings, disrupt request processing, and ultimately cause a denial of service, impacting service availability while leaving integrity low and confidentiality unchanged. The weakness corresponds to CWE‑862, an improper authorization bypass.

Affected Systems

The vulnerability targets SAP Business Warehouse (Service API) from SAP SE. No specific version information is disclosed, so all installations of the Service API that may use the exposed RFC function module should be considered potentially affected until further vendor guidance is received.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. EPSS shows a probability of exploitation of less than 1%, suggesting a very low likelihood of attack, and the flaw is not listed in the CISA KEV catalog. The attack vector is authenticated, meaning the attacker must already have valid credentials to access the system. Successful exploitation would result in denial of service through erroneous configuration changes.

Generated by OpenCVE AI on April 16, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review and apply the security patch detailed in SAP Note 3703385 to correct the missing authorization check.
  • If an immediate patch is not possible, enforce stricter authorization controls on the affected RFC function module, ensuring only privileged accounts can invoke it.
  • Configure monitoring and alerting on SAP logs for anomalous RFC calls or configuration changes to detect potential unauthorized activity.

Generated by OpenCVE AI on April 16, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Business Warehouse (service Api)
Vendors & Products Sap Se
Sap Se sap Business Warehouse (service Api)

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected.
Title Missing Authorization check in SAP Business Warehouse (Service API)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Sap Se Sap Business Warehouse (service Api)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-10T16:52:48.429Z

Reserved: 2026-02-23T17:50:17.028Z

Link: CVE-2026-27686

cve-icon Vulnrichment

Updated: 2026-03-10T15:36:00.769Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:38:11.147

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-27686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses