CVE-2026-34257 - Vulnerability Details

- Open Redirect vulnerability in SAP NetWeaver Application Server ABAP

Description

Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability.

Published: 2026-04-14

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated attacker can craft a malicious URL that, when accessed by a user, forces SAP NetWeaver Application Server ABAP to redirect the browser to an attacker‐controlled site. The vulnerability does not expose, alter, or delete data, so the confidentiality and integrity impact is low and availability is unaffected. This is a classic Open Redirect weakness (CWE‑601).

Affected Systems

SAP NetWeaver Application Server ABAP is affected by this issue; specific product versions are not listed, so users should consult SAP Note 3692004 for detailed version coverage.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate risk. EPSS data is unavailable and the vulnerability is not in the CISA KEV catalog, implying no widespread exploitation is currently documented. The attack can be executed by a simple crafted link that any user might click, requiring no prior authentication and relying on social engineering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP NetWeaver Application Server ABAP

unaffected

Version	Status	Constraints
`SAP_BASIS 700`	affected	—
`SAP_BASIS 701`	affected	—
`SAP_BASIS 702`	affected	—
`SAP_BASIS 731`	affected	—
`SAP_BASIS 740`	affected	—
`SAP_BASIS 750`	affected	—
`SAP_BASIS 752`	affected	—
`SAP_BASIS 753`	affected	—
`SAP_BASIS 754`	affected	—
`SAP_BASIS 755`	affected	—
`SAP_BASIS 756`	affected	—
`SAP_BASIS 757`	affected	—
`SAP_BASIS 758`	affected	—
`SAP_BASIS 816`	affected	—

No data.

Vendor Product Confidence Versions

Sap

Netweaver Application Server Abap

100%

Version	Status	Scheme	Platform
`SAP_BASIS 700`	affected	generic	—
`SAP_BASIS 701`	affected	generic	—
`SAP_BASIS 702`	affected	generic	—
`SAP_BASIS 731`	affected	generic	—
`SAP_BASIS 740`	affected	generic	—
`SAP_BASIS 750`	affected	generic	—
`SAP_BASIS 752`	affected	generic	—
`SAP_BASIS 753`	affected	generic	—
`SAP_BASIS 754`	affected	generic	—
`SAP_BASIS 755`	affected	generic	—
`SAP_BASIS 756`	affected	generic	—
`SAP_BASIS 757`	affected	generic	—
`SAP_BASIS 758`	affected	generic	—
`SAP_BASIS 816`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the security update referenced in SAP Note 3692004 to eliminate the redirect vulnerability.
Verify that the update has removed the redirect behavior by testing the application server with known redirect URLs.
After the update, monitor logs for any suspicious redirects or phishing attempts that could exploit the fixed behavior.

Generated by OpenCVE AI on April 14, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3692004
https://url.sap/sapsecuritypatchday

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap netweaver Application Server Abap
Vendors & Products		Sap Sap netweaver Application Server Abap

Tue, 14 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability.
Title		Open Redirect vulnerability in SAP NetWeaver Application Server ABAP
Weaknesses		CWE-601
References		https://me.sap.com/notes/3692004 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Sap Netweaver Application Server Abap

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-04-14T00:08:39.814Z

Updated: 2026-04-14T13:14:17.620Z

Reserved: 2026-03-26T19:02:45.982Z

Link: CVE-2026-34257

Vulnrichment

Updated: 2026-04-14T13:09:01.663Z

NVD

Status : Received

Published: 2026-04-14T01:16:03.730

Modified: 2026-04-14T01:16:03.730

Link: CVE-2026-34257

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:31:19Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object