Description
SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and does not affect the confidentiality and availability of the application.
Published: 2026-06-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to supply email sending parameters that are not fully validated, enabling the sending of emails with forged sender identities. This flaw results in potential integrity violations as recipients may be misled about the source of the message, but it does not compromise confidentiality or availability of the application. The weakness is classified as CWE-346, insufficient provenance validation.

Affected Systems

The affected product is SAP Business Objects Business Intelligence Platform, as identified by the SAP SE CNA. The specific impacted versions are not enumerated in the advisory, so all releases of the platform should be treated as potentially vulnerable and verified for the presence of the flaw.

Risk and Exploitability

The CVSS score of 4.3 categorizes the vulnerability as low severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting a limited public exploitation likelihood. The attack requires that the user is authenticated to the platform, implying that internal or compromised accounts can exploit the flaw. Without a published fix, the risk remains confined to users who can input email parameters.

Generated by OpenCVE AI on June 9, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review SAP Note 3687096 and apply the vendor‑recommended configuration changes or patch to enforce proper validation of email parameters.
  • If possible, disable or restrict the ability for authenticated users to specify arbitrary email sender addresses through configuration settings.
  • Continuously monitor outgoing email traffic for unusual or spoofed sender headers to detect potential abuse.

Generated by OpenCVE AI on June 9, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Business Objects Business Intelligence Platform
Vendors & Products Sap Se
Sap Se sap Business Objects Business Intelligence Platform

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Description SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and does not affect the confidentiality and availability of the application.
Title Email Spoofing vulnerability in SAP Business Objects Business Intelligence Platform
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Sap Se Sap Business Objects Business Intelligence Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-06-09T14:32:41.966Z

Reserved: 2026-05-07T18:31:04.067Z

Link: CVE-2026-44755

cve-icon Vulnrichment

Updated: 2026-06-09T14:32:38.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:47.177

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-44755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T02:30:26Z

Weaknesses