CVE-2026-34256

Summary

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)SAP_FIN 618affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)720affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)730affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)EA-FIN 617affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)700affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)SAPSCORE 135affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)S4CORE 102affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)103affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)104affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)105affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)106affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)107affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)108affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)109affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)EA-APPL 600affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)602affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)603affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)604affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)605affected
SAP_SESAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)606affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References