CVE-2026-24326

Summary

Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)EA-DFPS 600affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)603affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)604affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)605affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)606affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)616affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)617affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)618affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)619affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)800affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)801affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)802affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)803affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)804affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)805affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)806affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)807affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)808affected
SAP_SESAP S/4HANA Defense & Security (Disconnected Operations)809affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References