CVE-2026-27690 PUBLISHED

HTTP Request Smuggling in SAP Approuter

Assigner: sap
Reserved: 23.02.2026 Published: 14.07.2026 Updated: 14.07.2026

Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to a high impact on confidentiality and availability.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVSS Score: 9.1

Product Status

Vendor SAP_SE
Product SAP Approuter
Versions Default: unaffected
  • Version SAP Approuter node.js package < 20.10.0 is affected

References

Problem Types