CVE-2026-27688 PUBLISHED

Missing Authorization check in SAP NetWeaver Application Server for ABAP

Assigner: sap
Reserved: 23.02.2026 Published: 10.03.2026 Updated: 10.03.2026

Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CVSS Score: 5

Product Status

Vendor SAP_SE
Product SAP NetWeaver Application Server for ABAP
Versions Default: unaffected
  • Version SAP_BASIS 700 is affected
  • Version SAP_BASIS 701 is affected
  • Version SAP_BASIS 702 is affected
  • Version SAP_BASIS 710 is affected
  • Version SAP_BASIS 711 is affected
  • Version SAP_BASIS 730 is affected
  • Version SAP_BASIS 731 is affected
  • Version SAP_BASIS 740 is affected
  • Version SAP_BASIS 750 is affected
  • Version SAP_BASIS 751 is affected
  • Version SAP_BASIS 752 is affected
  • Version SAP_BASIS 753 is affected
  • Version SAP_BASIS 754 is affected
  • Version SAP_BASIS 755 is affected
  • Version SAP_BASIS 756 is affected
  • Version SAP_BASIS 757 is affected
  • Version SAP_BASIS 758 is affected
  • Version SAP_BASIS 816 is affected

References

Problem Types