CVE-2026-24316 PUBLISHED

Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP

Assigner: sap
Reserved: 21.01.2026 Published: 10.03.2026 Updated: 10.03.2026

SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP NetWeaver Application Server for ABAP
Versions	Default: unaffected Version SAP_BASIS 740 is affected Version SAP_BASIS 750 is affected Version SAP_BASIS 751 is affected Version SAP_BASIS 752 is affected Version SAP_BASIS 753 is affected Version SAP_BASIS 754 is affected Version SAP_BASIS 755 is affected Version SAP_BASIS 756 is affected Version SAP_BASIS 757 is affected Version SAP_BASIS 758 is affected Version SAP_BASIS 816 is affected Version SAP_BASIS 918 is affected

CVE-2026-24316 PUBLISHED

Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP

Metrics

Product Status

References

Problem Types