Description
Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application.
Published: 2026-06-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can execute a report generation command that overwrites another user's data, allowing an attacker to gain higher privileges. This flaw provides a clear path to heightening authority within the system and modifies integrity without affecting confidentiality or availability.

Affected Systems

The vulnerability resides in SAP NetWeaver and the ABAP Platform. All installations of the Application Server ABAP component are potentially impacted. No specific version ranges are listed, so any current or unpatched configuration of these products should be reviewed.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑high severity. Since the EPSS score is not available, the probability of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at the time of this analysis. The likely attack vector is an authenticated session where the user can run ABAP reports; no external trigger is required beyond legitimate credentials.

Generated by OpenCVE AI on June 9, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security update covered by note 3735546 to patch the Application Server ABAP component.
  • Verify that the latest version of SAP NetWeaver and ABAP Platform includes the fix by consulting the SAP Service Marketplace for the appropriate patch level.
  • Restrict report‑execution permissions for non‑trusted accounts and enforce least privilege access controls.
  • Monitor audit logs for unexpected report generation activity following the patch implementation.

Generated by OpenCVE AI on June 9, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Netweaver And Abap Platform
Vendors & Products Sap Se
Sap Se sap Netweaver And Abap Platform

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Description Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application.
Title Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Sap Se Sap Netweaver And Abap Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-06-10T03:58:31.825Z

Reserved: 2026-05-07T18:16:34.195Z

Link: CVE-2026-44751

cve-icon Vulnrichment

Updated: 2026-06-09T13:23:27.322Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:46.867

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-44751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T03:00:14Z

Weaknesses