Description
SAP HANA Database (user self service tools) allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application.
Published: 2026-07-14
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SAP HANA Database user self‑service tools allow an unauthenticated attacker to send crafted requests that yield distinct responses. These responses let the attacker determine which usernames and associated email addresses exist in the system. The vulnerability provides low‑severity confidentiality exposure; it does not affect the integrity or availability of the application.

Affected Systems

The affected product is SAP HANA Extended Application Services classic model (User Self Service) from SAP SE. No specific version details are listed in the CNA data; all installations of this component are potentially impacted.

Risk and Exploitability

The CVSS score of 3.7 indicates a low overall severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited or no evidence of active exploitation in the wild. The likely attack vector is remote over the web interface used for user self‑service; an attacker can craft requests from any network that can reach the service. Since the attack requires no authentication, it is easily repeatable and could be automated if the service is exposed to the internet.

Generated by OpenCVE AI on July 14, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply SAP’s security patch for note 3732522 to update the HANA user self‑service component
  • Upgrade the SAP HANA Extended Application Services to the latest supported release following vendor guidance
  • Restrict network access to the user self‑service web service using firewalls or VPNs so that only trusted hosts can contact it

Generated by OpenCVE AI on July 14, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Description SAP HANA Database (user self service tools) allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application.
Title Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service)
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-07-14T12:38:29.089Z

Reserved: 2026-05-07T18:31:04.066Z

Link: CVE-2026-44753

cve-icon Vulnrichment

Updated: 2026-07-14T12:38:25.561Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T13:00:04Z

Weaknesses
  • CWE-204

    Observable Response Discrepancy