CVE-2026-34256 | THREATINT

Description

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

PUBLISHED Reserved 2026-03-26 | Published 2026-04-14 | Updated 2026-04-14 | Assigner sap

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Problem types

CWE-862: Missing Authorization

Product status

Default status

unaffected

SAP_FIN 618

affected

720

affected

730

affected

EA-FIN 617

affected

700

affected

SAPSCORE 135

affected

S4CORE 102

affected

103

affected

104

affected

105

affected

106

affected

107

affected

108

affected

109

affected

EA-APPL 600

affected

602

affected

603

affected

604

affected

605

affected

606

affected

References

me.sap.com/notes/3731908

url.sap/sapsecuritypatchday

cve.org (CVE-2026-34256)

nvd.nist.gov (CVE-2026-34256)

Download JSON