CVE-2026-27686 PUBLISHED

Missing Authorization check in SAP Business Warehouse (Service API)

Assigner: sap
Reserved: 23.02.2026 Published: 10.03.2026 Updated: 10.03.2026

Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP Business Warehouse (Service API)
Versions	Default: unaffected Version DW4CORE 200 is affected Version 300 is affected Version 400 is affected Version PI_BASIS 2006_1_700 is affected Version 701 is affected Version 702 is affected Version 730 is affected Version 731 is affected Version 740 is affected Version SAP_BW 750 is affected Version 751 is affected Version 752 is affected Version 753 is affected Version 754 is affected Version 755 is affected Version 756 is affected Version 757 is affected Version 758 is affected Version 816 is affected

CVE-2026-27686 PUBLISHED

Missing Authorization check in SAP Business Warehouse (Service API)

Metrics

Product Status

References

Problem Types