Description
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
Published: 2026-05-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SAP Incentive and Commission Management application contains an insufficient authorization check that lets an authenticated user invoke a remote‑enabled function module to perform table update operations. This flaw allows an attacker who has valid credentials to alter stored data, which results in a low‑impact loss of data integrity. The vulnerability does not affect confidentiality or availability of the application.

Affected Systems

The affected product is SAP Incentive and Commission Management. No specific product versions are listed, so any deployed instance of this SAP solution that does not have the relevant security update may be susceptible.

Risk and Exploitability

The CVSS score of 4.3 labels this issue as low severity, and the EPSS score is not available while the vulnerability is not listed in CISA’s KEV catalog. The flaw requires an authenticated user to be able to reach the SAP system; it does not provide remote code execution or other elevated privileges. Consequently, the risk is limited to attackers who already possess valid credentials and can use the function module to modify data.

Generated by OpenCVE AI on May 12, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security update associated with SAP Note 3718508.
  • Disable or restrict the remote‑enabled function module that performs the table updates if it is not required for business processes.
  • Review and strengthen authorization objects for the affected function to ensure adequate checks are in place for all authenticated users.

Generated by OpenCVE AI on May 12, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Incentive And Commission Management
Vendors & Products Sap Se
Sap Se sap Incentive And Commission Management

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
Title Missing Authorization Check in SAP Incentive and Commission Management
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Sap Se Sap Incentive And Commission Management
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T13:11:34.915Z

Reserved: 2026-04-09T17:29:44.663Z

Link: CVE-2026-40134

cve-icon Vulnrichment

Updated: 2026-05-12T13:11:32.049Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T03:16:12.307

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-40134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:21:58Z

Weaknesses