CVE-2026-0498 PUBLISHED

Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)

Assigner: sap
Reserved: 09.12.2025 Published: 13.01.2026 Updated: 26.02.2026

SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP S/4HANA (Private Cloud and On-Premise)
Versions	Default: unaffected Version S4CORE 102 is affected Version 103 is affected Version 104 is affected Version 105 is affected Version 106 is affected Version 107 is affected Version 108 is affected Version 109 is affected

CVE-2026-0498 PUBLISHED

Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)

Metrics

Product Status

References

Problem Types