CVE-2026-24316

Summary

SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 740affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 750affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 751affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 752affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 753affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 754affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 755affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 756affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 757affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 758affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 816affected
SAP_SESAP NetWeaver Application Server for ABAPSAP_BASIS 918affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References