Description
Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability.
Published: 2026-03-10
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach by unauthorized access to sensitive data
Action: Apply vendor patch
AI Analysis

Impact

A missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal allows a user with high privileges to view sensitive data belonging to another company. The primary weakness is a lack of proper access control (CWE‑862). The vulnerability threatens confidentiality only, with no impact on integrity or availability.

Affected Systems

Impact is limited to SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, as listed by SAP. No specific version information is provided, so the risk applies to all installations of these products.

Risk and Exploitability

The CVSS score of 5.8 denotes a moderate severity. The EPSS value of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. It is likely to be exploited by insiders with elevated privileges who have access to the affected systems.

Generated by OpenCVE AI on April 16, 2026 at 09:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch or update to a version that contains the fix for the missing authorization check.
  • Limit the use of high‑privilege accounts and enforce least‑privilege access for users who do not need to read cross‑company data.
  • Implement monitoring and logging of privileged user activity to detect unauthorized data access attempts.

Generated by OpenCVE AI on April 16, 2026 at 09:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Erp Hcm Portugal
Sap Se sap S/4hana Hcm Portugal
Vendors & Products Sap Se
Sap Se sap Erp Hcm Portugal
Sap Se sap S/4hana Hcm Portugal

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability.
Title Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Sap Se Sap Erp Hcm Portugal Sap S/4hana Hcm Portugal
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-10T16:52:42.319Z

Reserved: 2026-02-23T17:50:17.028Z

Link: CVE-2026-27687

cve-icon Vulnrichment

Updated: 2026-03-10T15:35:58.499Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:38:11.330

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-27687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses