Description
SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data
Published: 2026-05-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SAP Financial Consolidation can be disrupted when an authenticated attacker terminates other users’ sessions, temporarily blocking their access. The application itself remains uncompromised and no confidentiality or integrity breach occurs; only a low-impact interruption of availability is observed.

Affected Systems

The vendor is SAP and the affected product is SAP Financial Consolidation. No specific product versions were listed in the advisory.

Risk and Exploitability

With a CVSS score of 4.3, this vulnerability is classified as low severity. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, implying limited exploitation evidence. The likely attack vector requires an authenticated session, meaning the attacker must first obtain valid credentials before triggering the denial of service. The absence of a public fix or workaround suggests that the risk is primarily mitigated by restricting session‑termination privileges and monitoring for abnormal activity.

Generated by OpenCVE AI on May 12, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact SAP support to find any patches addressing session‑termination behavior.
  • Restrict session‑termination privileges to a minimal set of trusted administrator accounts.
  • Enable detailed logging and alerting for session termination events to detect potential abuse.

Generated by OpenCVE AI on May 12, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap financial Consolidation
Vendors & Products Sap
Sap financial Consolidation

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data
Title Denial of service (DoS) in SAP Financial Consolidation
Weaknesses CWE-404
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Sap Financial Consolidation
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T13:01:27.628Z

Reserved: 2026-04-09T17:29:44.663Z

Link: CVE-2026-40136

cve-icon Vulnrichment

Updated: 2026-05-12T13:01:24.207Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T03:16:12.560

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-40136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T08:45:11Z

Weaknesses