CVE-2026-27681 | THREATINT

Description

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

PUBLISHED Reserved 2026-02-23 | Published 2026-04-14 | Updated 2026-04-14 | Assigner sap

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command

Product status

Default status

unaffected

HANABPC 810

affected

BPC4HANA 300

affected

SAP_BW 750

affected

752

affected

753

affected

754

affected

755

affected

756

affected

757

affected

758

affected

816

affected

References

me.sap.com/notes/3719353

url.sap/sapsecuritypatchday

cve.org (CVE-2026-27681)

nvd.nist.gov (CVE-2026-27681)

Download JSON