CVE-2026-27673 PUBLISHED

Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise)

Assigner: sap
Reserved: 23.02.2026 Published: 14.04.2026 Updated: 14.04.2026

Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L
CVSS Score: 4.9

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP S/4HANA (Private Cloud and On-Premise)
Versions	Default: unaffected Version S4CORE 105 is affected Version 106 is affected Version 107 is affected Version 108 is affected Version 109 is affected Version FI-CA 606 is affected Version 616 is affected Version 617 is affected Version 618 is affected

CVE-2026-27673 PUBLISHED

Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise)

Metrics

Product Status

References

Problem Types