CVE-2026-44754

Summary

The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SEODP Data Replication APIsDW4CORE 200affected
SAP_SEODP Data Replication APIs300affected
SAP_SEODP Data Replication APIs400affected
SAP_SEODP Data Replication APIsPI_BASIS 2006_1_700affected
SAP_SEODP Data Replication APIs701affected
SAP_SEODP Data Replication APIs702affected
SAP_SEODP Data Replication APIs731affected
SAP_SEODP Data Replication APIs740affected
SAP_SEODP Data Replication APIsSAP_BW 750affected
SAP_SEODP Data Replication APIs816affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References