CVE-2026-40134

Summary

Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Incentive and Commission ManagementSAP_APPL 618affected
SAP_SESAP Incentive and Commission ManagementS4CORE 102affected
SAP_SESAP Incentive and Commission Management103affected
SAP_SESAP Incentive and Commission Management104affected
SAP_SESAP Incentive and Commission Management105affected
SAP_SESAP Incentive and Commission Management106affected
SAP_SESAP Incentive and Commission Management107affected
SAP_SESAP Incentive and Commission Management108affected
SAP_SESAP Incentive and Commission Management109affected
SAP_SESAP Incentive and Commission ManagementEA-APPL 600affected
SAP_SESAP Incentive and Commission Management604affected
SAP_SESAP Incentive and Commission Management605affected
SAP_SESAP Incentive and Commission Management606affected
SAP_SESAP Incentive and Commission Management617affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References