CVE-2026-27686

Summary

Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Business Warehouse (Service API)DW4CORE 200affected
SAP_SESAP Business Warehouse (Service API)300affected
SAP_SESAP Business Warehouse (Service API)400affected
SAP_SESAP Business Warehouse (Service API)PI_BASIS 2006_1_700affected
SAP_SESAP Business Warehouse (Service API)701affected
SAP_SESAP Business Warehouse (Service API)702affected
SAP_SESAP Business Warehouse (Service API)730affected
SAP_SESAP Business Warehouse (Service API)731affected
SAP_SESAP Business Warehouse (Service API)740affected
SAP_SESAP Business Warehouse (Service API)SAP_BW 750affected
SAP_SESAP Business Warehouse (Service API)751affected
SAP_SESAP Business Warehouse (Service API)752affected
SAP_SESAP Business Warehouse (Service API)753affected
SAP_SESAP Business Warehouse (Service API)754affected
SAP_SESAP Business Warehouse (Service API)755affected
SAP_SESAP Business Warehouse (Service API)756affected
SAP_SESAP Business Warehouse (Service API)757affected
SAP_SESAP Business Warehouse (Service API)758affected
SAP_SESAP Business Warehouse (Service API)816affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References