CVE-2026-34256 - Vulnerability Details

- Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Description

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

Published: 2026-04-14

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing authorization check in SAP ERP and SAP S/4 HANA allows an authenticated attacker to execute a specific ABAP report that can overwrite any existing eight‑character executable ABAP report without the necessary authorization. The weakness is categorized as CWE‑862 (Missing Authorization). Once the overwritten report is run, its intended functionality can be lost, which results in a service disruption for the affected functionality. The integrity impact is restricted to the overwritten report, and no data confidentiality is compromised.

Affected Systems

The vulnerability affects SAP’s ERP and SAP S/4 HANA systems, both in private cloud and on‑premise deployments. The CNA SAP SE has identified these products as impacted. Specific affected versions are not listed, so all running installations of these products could be at risk if they have not applied the available patch.

Risk and Exploitability

The CVSS base score of 7.1 indicates a medium severity level. EPSS data is unavailable and the vulnerability is not included in CISA’s KEV catalog, suggesting no publicly known exploits at this time. The primary attack vector is inferred to be an authenticated user in the SAP environment, as the missing authorization check only protects against users who appear to be authorized. Exploitation requires that the attacker possess valid credentials and sufficient rights to execute the vulnerable ABAP report. The impact after exploitation is limited to the availability of the overwritten report and its constituent functionality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

unaffected

Version	Status	Constraints
`SAP_FIN 618`	affected	—
`720`	affected	—
`730`	affected	—
`EA-FIN 617`	affected	—
`700`	affected	—
`SAPSCORE 135`	affected	—
`S4CORE 102`	affected	—
`103`	affected	—
`104`	affected	—
`105`	affected	—
`106`	affected	—
`107`	affected	—
`108`	affected	—
`109`	affected	—
`EA-APPL 600`	affected	—
`602`	affected	—
`603`	affected	—
`604`	affected	—
`605`	affected	—
`606`	affected	—

No data.

Vendor Product Confidence Versions

Sap

Erp

100%

Version	Status	Scheme	Platform
`SAP_FIN 618`	affected	generic	—
`720`	affected	generic	—
`730`	affected	generic	—
`EA-FIN 617`	affected	generic	—
`700`	affected	generic	—
`SAPSCORE 135`	affected	generic	—
`S4CORE 102`	affected	generic	—
`103`	affected	generic	—
`104`	affected	generic	—
`105`	affected	generic	—
`106`	affected	generic	—
`107`	affected	generic	—
`108`	affected	generic	—
`109`	affected	generic	—
`EA-APPL 600`	affected	generic	—
`602`	affected	generic	—
`603`	affected	generic	—
`604`	affected	generic	—
`605`	affected	generic	—
`606`	affected	generic	—

Sap

S/4 Hana

—

Version	Status	Scheme	Platform
`SAP_FIN 618`	affected	generic	—
`720`	affected	generic	—
`730`	affected	generic	—
`EA-FIN 617`	affected	generic	—
`700`	affected	generic	—
`SAPSCORE 135`	affected	generic	—
`S4CORE 102`	affected	generic	—
`103`	affected	generic	—
`104`	affected	generic	—
`105`	affected	generic	—
`106`	affected	generic	—
`107`	affected	generic	—
`108`	affected	generic	—
`109`	affected	generic	—
`EA-APPL 600`	affected	generic	—
`602`	affected	generic	—
`603`	affected	generic	—
`604`	affected	generic	—
`605`	affected	generic	—
`606`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the SAP security patch available at https://me.sap.com/notes/3731908
Verify that your SAP ERP or SAP S/4 HANA installation is running the patched version as of the latest SAP security patch day
If unable to apply the patch immediately, restrict or disable the vulnerable ABAP report and monitor for unauthorized attempts

Generated by OpenCVE AI on April 14, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3731908
https://url.sap/sapsecuritypatchday

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap erp Sap s/4 Hana
Vendors & Products		Sap Sap erp Sap s/4 Hana

Tue, 14 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.
Title		Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)
Weaknesses		CWE-862
References		https://me.sap.com/notes/3731908 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}`

Subscriptions

Sap Erp S/4 Hana

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-04-14T00:08:26.993Z

Updated: 2026-04-14T13:14:17.750Z

Reserved: 2026-03-26T19:02:45.982Z

Link: CVE-2026-34256

Vulnrichment

Updated: 2026-04-14T13:09:04.258Z

NVD

Status : Received

Published: 2026-04-14T01:16:03.530

Modified: 2026-04-14T01:16:03.530

Link: CVE-2026-34256

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:31:20Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object