Description
Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.
Published: 2026-04-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach
Action: Apply Patch
AI Analysis

Impact

A missing authorization check in SAP Business Analytics and SAP Content Management allows an authenticated user to invoke remote function modules that the user is not authorized to call. This flaw is a classic example of CWE‑862: Authorization Bypass Through User‑Controlled Key. The result is that sensitive data may be exposed, thereby compromising confidentiality while leaving integrity and availability unaffected.

Affected Systems

The vulnerability applies to SAP Business Analytics and SAP Content Management. No specific product versions are listed, so all deployments of these services should validate their build against SAP Note 3705094 to determine exposure.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. EPSS information is unavailable and the issue is not listed in the CISA KEV catalog. Exploitation requires a legitimate authenticated session; the attacker must already possess a user account with valid credentials. The lack of an unauthenticated attack surface limits the exploitation likelihood, but the potential for confidential data leakage makes the overall risk moderate to high if left unmitigated.

Generated by OpenCVE AI on April 14, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify your SAP Business Analytics or SAP Content Management version against SAP Note 3705094 to confirm the presence of the vulnerability.
  • Apply the security patch released during the SAP Security Patch Day to address the missing authorization check.
  • If a patch cannot be applied immediately, strengthen role-based access controls to restrict the use of sensitive function modules.
  • Continuously monitor system logs for unexpected remote function calls following remediation or patch deployment.

Generated by OpenCVE AI on April 14, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap business Analytics
Sap content Management
Vendors & Products Sap
Sap business Analytics
Sap content Management

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.
Title Missing Authorization check in SAP Business Analytics and SAP Content Management
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Sap Business Analytics Content Management
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:17.473Z

Reserved: 2026-03-26T19:02:45.983Z

Link: CVE-2026-34261

cve-icon Vulnrichment

Updated: 2026-04-14T13:08:59.407Z

cve-icon NVD

Status : Received

Published: 2026-04-14T01:16:03.897

Modified: 2026-04-14T01:16:03.897

Link: CVE-2026-34261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:16Z

Weaknesses