Description
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can inject arbitrary SQL through unvalidated input in SAP S/4HANA (SAP Enterprise Search for ABAP). The application concatenates this input directly into database queries, enabling the attacker to read sensitive data or execute destructive statements. Successful exploitation would compromise confidentiality by exposing confidential database contents and could lead to application crashes, impacting availability. Integrity remains unaffected in the described vulnerability.

Affected Systems

The affected system is SAP SE’s SAP S/4HANA with the Enterprise Search for ABAP component. No specific version range is disclosed in the available data, so all installations that include this component may be vulnerable.

Risk and Exploitability

The CVSS score of 9.6 indicates a critical severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector requires an authenticated user to submit malicious input; therefore, the risk is higher in environments where user privileges are not tightly controlled. With the provided score, the potential for exploitation is significant if a privileged user or compromised account can interact with the vulnerable component.

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch outlined in SAP Note 3724838 to the Enterprise Search component.
  • Restrict user access to Enterprise Search to those who require it for business operations.
  • Update any custom ABAP code that builds SQL statements to use parameterized queries and proper input validation.

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap S/4hana (sap Enterprise Search For Abap)
Vendors & Products Sap Se
Sap Se sap S/4hana (sap Enterprise Search For Abap)

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
Title SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H'}

Subscriptions

Sap Se Sap S/4hana (sap Enterprise Search For Abap)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T02:20:21.855Z

Reserved: 2026-03-26T19:02:45.982Z

Link: CVE-2026-34260

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T03:16:11.517

Modified: 2026-05-12T03:16:11.517

Link: CVE-2026-34260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:06Z

Weaknesses