Description
During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
Published: 2026-04-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages that can be intercepted by an authenticated user with low privileges. An attacker can guess and enumerate these messages to learn content beyond their authorized scope, leading to disclosure of sensitive information. The vulnerability does not affect integrity or availability, but the loss of confidentiality can severely impact stakeholder trust and regulatory compliance.

Affected Systems

The vulnerability impacts SAP Human Capital Management for SAP S/4HANA. No specific product versions are listed, so any instance of this SAP module that has not applied the latest fixes may be affected. Users should verify the presence of SAP Note 3680767 or subsequent security patches.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The attack requires an authenticated SAP account with low privileges; the attacker must manually trigger the authorization checks and parse the returned messages, which indicates a moderate level of skill and access. While there are no publicly disclosed exploits, organizations should treat this as a medium risk and prioritize remediation.

Generated by OpenCVE AI on April 14, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply SAP Note 3680767 to address the vulnerability.
  • If immediate patching is not possible, reduce user permissions and enforce least‑privilege access.
  • Monitor authentication logs for unusual enumeration attempts.
  • Keep SAP S/4HANA installation up to date.

Generated by OpenCVE AI on April 14, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap erp Human Capital Management
Vendors & Products Sap
Sap erp Human Capital Management

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
Title Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Sap Erp Human Capital Management
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:17.154Z

Reserved: 2026-03-26T19:02:45.983Z

Link: CVE-2026-34264

cve-icon Vulnrichment

Updated: 2026-04-14T13:08:55.247Z

cve-icon NVD

Status : Received

Published: 2026-04-14T01:16:04.200

Modified: 2026-04-14T01:16:04.200

Link: CVE-2026-34264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:14Z

Weaknesses