CVE-2026-27672 PUBLISHED

Missing Authorization check in Material Master Application

Assigner: sap
Reserved: 23.02.2026 Published: 14.04.2026 Updated: 14.04.2026

The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	Material Master Application
Versions	Default: unaffected Version S4CORE 102 is affected Version 103 is affected Version 104 is affected Version 105 is affected Version 106 is affected Version 107 is affected Version 108 is affected Version 109 is affected Version SCM_BASIS 700 is affected Version SCM_BASIS 701 is affected Version SCM_BASIS 702 is affected Version SCM_BASIS 712 is affected Version SCM_BASIS 713 is affected Version SCM_BASIS 714 is affected

CVE-2026-27672 PUBLISHED

Missing Authorization check in Material Master Application

Metrics

Product Status

References

Problem Types