Description
SAP S/4HANA Draft operation does not perform necessary authorization checks for an authenticated user, a restricted user could access information within the entity resulting in escalation of privileges. This results in low impact on confidentiality, with no impact on integrity and availability of the application.
Published: 2026-07-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in the SAP S/4HANA Draft operation. An authenticated user that has restricted permissions can access information within the entity, leading to an escalation of privileges. This bypass causes a low impact on confidentiality but does not affect integrity or availability of the application.

Affected Systems

SAP S/4HANA No specific version details are provided in the CNA data.

Risk and Exploitability

The CVSS score of 4.3 classifies the severity as low, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation evidence. The likely attack vector requires an authenticated user it does not enable remote code execution or denial of service. Exploitation would allow the attacker to gain higher privileges within the same entity, but the probability of widespread impact remains low.

Generated by OpenCVE AI on July 14, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided security patch or update for SAP S/4HANA Draft operation
  • Limit the use of require it by tightening role‑based access control
  • Remove or disable Draft operation for users who do not need it to reduce the attack surface

Generated by OpenCVE AI on July 14, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Description SAP S/4HANA Draft operation does not perform necessary authorization checks for an authenticated user, a restricted user could access information within the entity resulting in escalation of privileges. This results in low impact on confidentiality, with no impact on integrity and availability of the application.
Title Missing Authorization check in SAP S/4HANA (Draft operation)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-07-14T12:52:09.720Z

Reserved: 2026-05-07T18:39:44.147Z

Link: CVE-2026-44771

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T12:45:10Z

Weaknesses