CVE-2026-0509 PUBLISHED

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Assigner: sap
Reserved: 09.12.2025 Published: 10.02.2026 Updated: 10.02.2026

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP NetWeaver Application Server ABAP and ABAP Platform
Versions	Default: unaffected Version KRNL64NUC 7.22 is affected Version 7.22EXT is affected Version KRNL64UC 7.22 is affected Version 7.53 is affected Version KERNEL 7.22 is affected Version 7.54 is affected Version 7.77 is affected Version 7.89 is affected Version 7.93 is affected Version 9.16 is affected Version 9.18 is affected Version 9.19 is affected

CVE-2026-0509 PUBLISHED

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Metrics

Product Status

References

Problem Types