MEDIUM✓ PATCH🇵🇱 Wersja polska

CVE-2026-27679

CVSS 6.5v3.1pub. 2026-04-14upd. 2026-05-04

Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • Sap Manage Reference Structures

    APP
    Sap
    uis4h_109
  • Sap S\/4hana

    APP
    Sap
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-0488CRITICAL9.9PL ✓ten sam produkt

SAP CRM / S/4HANA Scripting Editor — nieautoryzowane wykonanie SQL

CVE-2022-22531HIGH8.1ten sam produkt

The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does ...

CVE-2022-22530HIGH8.1ten sam produkt

The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does ...

CVE-2021-38176HIGH8.8ten sam produkt

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call N...

CVE-2026-34264MEDIUM6.5ten sam produkt

During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messa...