Description
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected.
Published: 2026-03-10
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Exposure
Action: Patch
AI Analysis

Impact

An authenticated user can exploit a missing authorization check in SAP NetWeaver Application Server for ABAP to invoke a specific RFC function module and retrieve Database Analyzer Log Files. The logged data may contain sensitive information, and the attacker could potentially elevate privileges. The vulnerability does not affect system integrity or availability, but it allows limited disclosure of confidential information.

Affected Systems

The SAP NetWeaver Application Server for ABAP is affected. No specific product versions are listed in the advisory.

Risk and Exploitability

The vulnerability scores a CVSS of 5, indicating moderate risk, while the EPSS score of less than 1% suggests a very low likelihood of exploitation. It is not currently listed in CISA’s KEV catalog. Attackers require valid user credentials and the ability to execute the RFC function module; no remote code execution or denial of service is possible.

Generated by OpenCVE AI on April 16, 2026 at 09:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3704740 to address the authorization check issue.
  • Restrict or disable the specific RFC function module so that only authorized roles can execute it.
  • Audit user roles to ensure that accounts do not possess unnecessary authorizations that could enable the exploit.

Generated by OpenCVE AI on April 16, 2026 at 09:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap netweaver Application Server For Abap
Vendors & Products Sap
Sap netweaver Application Server For Abap

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected.
Title Missing Authorization check in SAP NetWeaver Application Server for ABAP
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Sap Netweaver Application Server For Abap
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-11T03:56:30.241Z

Reserved: 2026-02-23T17:50:17.028Z

Link: CVE-2026-27688

cve-icon Vulnrichment

Updated: 2026-03-10T15:35:56.475Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:38:11.497

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-27688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses