CVE-2026-24326 PUBLISHED

Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)

Assigner: sap
Reserved: 21.01.2026 Published: 10.02.2026 Updated: 10.02.2026

Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP S/4HANA Defense & Security (Disconnected Operations)
Versions	Default: unaffected Version EA-DFPS 600 is affected Version 603 is affected Version 604 is affected Version 605 is affected Version 606 is affected Version 616 is affected Version 617 is affected Version 618 is affected Version 619 is affected Version 800 is affected Version 801 is affected Version 802 is affected Version 803 is affected Version 804 is affected Version 805 is affected Version 806 is affected Version 807 is affected Version 808 is affected Version 809 is affected

CVE-2026-24326 PUBLISHED

Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)

Metrics

Product Status

References

Problem Types