Description
The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.
Published: 2026-06-09
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ODP Data Replication API’s Remote Function Call modules lack a check for caller identification, allowing any SAP‑internal or third‑party application to invoke the API without verification. This flaw can be used to retrieve data that the caller is not authorized to see, leading to potential disclosure of sensitive information. The vulnerability does not affect data integrity or cause significant availability problems, as the flaw is confined to the caller‑validation logic. CWE‑862 reflects missing authorization controls.

Affected Systems

The affected product is SAP SE’s Operational Data Provisioning Data Replication API (ODP‑RFC). No specific affected versions are listed in the advisory, so all deployed instances may be vulnerable until a hot‑fix or patch is applied.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, focusing on confidentiality impact. Because EPSS is not available and the vulnerability is not listed in CISA KEV, the likelihood of exploitation is uncertain but potentially non‑negligible. The likely attack vector is remote via the RFC interface, which can be accessed by external applications that connect to the SAP system over network. An attacker would first need network access to the SAP gateways that expose the RFC endpoints and then craft calls that exploit the lack of caller verification to pull data.

Generated by OpenCVE AI on June 9, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or update to the latest SAP release as per SAP Note 3748819.
  • Restrict RFC access by configuring the system to allow only trusted, pre‑approved applications as callers.
  • Monitor RFC activity and audit logs for unexpected or unauthorized callers, and block connections that fail verification.

Generated by OpenCVE AI on June 9, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se odp Data Replication Apis
Vendors & Products Sap Se
Sap Se odp Data Replication Apis

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Description The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.
Title Missing caller identification check-in for ODP Data Replication APIs
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Sap Se Odp Data Replication Apis
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-06-09T14:33:12.973Z

Reserved: 2026-05-07T18:31:04.067Z

Link: CVE-2026-44754

cve-icon Vulnrichment

Updated: 2026-06-09T14:33:06.178Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:47.003

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-44754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:22Z

Weaknesses