CVE-2026-44754 | THREATINT

Description

The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.

PUBLISHED Reserved 2026-05-07 | Published 2026-06-09 | Updated 2026-06-09 | Assigner sap

MEDIUM: 6.6CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L

Problem types

CWE-862: Missing Authorization

Product status

Default status

unaffected

DW4CORE 200

affected

300

affected

400

affected

PI_BASIS 2006_1_700

affected

701

affected

702

affected

731

affected

740

affected

SAP_BW 750

affected

816

affected

References

me.sap.com/notes/3748819

url.sap/sapsecuritypatchday

cve.org (CVE-2026-44754)

nvd.nist.gov (CVE-2026-44754)

Download JSON