CVE-2026-34256 PUBLISHED

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Assigner: sap
Reserved: 26.03.2026 Published: 14.04.2026 Updated: 14.04.2026

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CVSS Score: 7.1

Product Status

Vendor SAP_SE
Product SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)
Versions Default: unaffected
  • Version SAP_FIN 618 is affected
  • Version 720 is affected
  • Version 730 is affected
  • Version EA-FIN 617 is affected
  • Version 700 is affected
  • Version SAPSCORE 135 is affected
  • Version S4CORE 102 is affected
  • Version 103 is affected
  • Version 104 is affected
  • Version 105 is affected
  • Version 106 is affected
  • Version 107 is affected
  • Version 108 is affected
  • Version 109 is affected
  • Version EA-APPL 600 is affected
  • Version 602 is affected
  • Version 603 is affected
  • Version 604 is affected
  • Version 605 is affected
  • Version 606 is affected

References

Problem Types