CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-44748

CVSS 9.9v3.1pub. 2026-06-09

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.

🤖 AI Analysis
How it works

An attacker with normal access level intercepts or obtains a properly signed XML message. Then modifies the content of the XML document while preserving the original signature, and sends the prepared document to the verifier. Due to improper signature verification (CWE-347), the system accepts the modified document as authentic. As a result, the attacker can present falsified user identity information, which will be considered trusted by the application.

Impact

An attacker can gain unauthorized access to sensitive data of other users by impersonating their identity. System disruptions are also possible, which means high impact on the confidentiality, integrity, and availability of the application.

Mitigation & patch

Apply patches available from the vendor according to references — SAP Note 3746332 published as part of SAP Security Patch Day (https://url.sap/sapsecuritypatchday).

Who is affected

SAP NetWeaver Application Server ABAP and ABAP Platform — specific versions indicated in vendor references (SAP Note 3746332).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References