CVE-2026-23687 PUBLISHED

XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform

Assigner: sap
Reserved: 14.01.2026 Published: 10.02.2026 Updated: 10.02.2026

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Product Status

Vendor SAP_SE
Product SAP NetWeaver AS ABAP and ABAP Platform
Versions Default: unaffected
  • Version SAP_BASIS 700 is affected
  • Version SAP_BASIS 701 is affected
  • Version SAP_BASIS 702 is affected
  • Version SAP_BASIS 731 is affected
  • Version SAP_BASIS 740 is affected
  • Version SAP_BASIS 750 is affected
  • Version SAP_BASIS 751 is affected
  • Version SAP_BASIS 752 is affected
  • Version SAP_BASIS 753 is affected
  • Version SAP_BASIS 754 is affected
  • Version SAP_BASIS 755 is affected
  • Version SAP_BASIS 756 is affected
  • Version SAP_BASIS 757 is affected
  • Version SAP_BASIS 758 is affected
  • Version SAP_BASIS 804 is affected
  • Version SAP_BASIS 816 is affected
  • Version SAP_BASIS 916 is affected
  • Version SAP_BASIS 917 is affected
  • Version SAP_BASIS 918 is affected

References

Problem Types