CVE-2026-27681 PUBLISHED

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

Assigner: sap
Reserved: 23.02.2026 Published: 14.04.2026 Updated: 14.04.2026

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP Business Planning and Consolidation and SAP Business Warehouse
Versions	Default: unaffected Version HANABPC 810 is affected Version BPC4HANA 300 is affected Version SAP_BW 750 is affected Version 752 is affected Version 753 is affected Version 754 is affected Version 755 is affected Version 756 is affected Version 757 is affected Version 758 is affected Version 816 is affected

CVE-2026-27681 PUBLISHED

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

Metrics

Product Status

References

Problem Types