CVE-2026-34264

Summary

During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Human Capital Management for SAP S/4HANAS4HCMRXX 100affected
SAP_SESAP Human Capital Management for SAP S/4HANA101affected
SAP_SESAP Human Capital Management for SAP S/4HANA102affected
SAP_SESAP Human Capital Management for SAP S/4HANASAP_HRRXX 600affected
SAP_SESAP Human Capital Management for SAP S/4HANA604affected
SAP_SESAP Human Capital Management for SAP S/4HANA608affected

Weaknesses

  • CWE-204: CWE-204: Observable Response Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References