Description
Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.
Published: 2026-05-12
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an OS command injection (CWE‑77) in SAP Forecasting & Replenishment. When an authenticated user with administrative privileges triggers a non‑remote‑enabled function, arbitrary operating system commands can be executed. This capability allows the attacker to read or modify any system data and to shut down the system, leading to a complete compromise of confidentiality, integrity, and availability.

Affected Systems

The vulnerable component is SAP Forecasting & Replenishment. No specific version range is disclosed in the advisory, so all installations may be affected until SAP issues a fix. Administrators should verify the product version and consult the referenced SAP notes for patch details.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. EPSS is not available, and the issue is not listed in CISA KEV, implying no publicly confirmed exploit yet. The attack requires authenticated administrative access, which is likely granted to a limited set of users. However, the ability to run arbitrary OS commands makes the vulnerability a critical risk if privileged accounts are compromised or misused.

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any SAP‑issued patch or update for SAP Forecasting & Replenishment that addresses this command injection flaw.
  • Restrict or disable the vulnerable non‑remote‐enabled function for users that do not need it, and enforce least‑privilege access for administrative accounts.
  • Enable comprehensive logging and audit of administrative activity to detect and respond to any abnormal command execution attempts.

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Forecasting & Replenishment
Vendors & Products Sap Se
Sap Se sap Forecasting & Replenishment

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.
Title OS Command Injection Vulnerability in SAP Forecasting & Replenishment
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Sap Se Sap Forecasting & Replenishment
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T02:20:00.741Z

Reserved: 2026-03-26T19:02:45.982Z

Link: CVE-2026-34259

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T03:16:11.383

Modified: 2026-05-12T03:16:11.383

Link: CVE-2026-34259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:07Z

Weaknesses