CVE-2026-40134 PUBLISHED

Missing Authorization Check in SAP Incentive and Commission Management

Assigner: sap
Reserved: 09.04.2026 Published: 12.05.2026 Updated: 12.05.2026

Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP Incentive and Commission Management
Versions	Default: unaffected Version SAP_APPL 618 is affected Version S4CORE 102 is affected Version 103 is affected Version 104 is affected Version 105 is affected Version 106 is affected Version 107 is affected Version 108 is affected Version 109 is affected Version EA-APPL 600 is affected Version 604 is affected Version 605 is affected Version 606 is affected Version 617 is affected

CVE-2026-40134 PUBLISHED

Missing Authorization Check in SAP Incentive and Commission Management

Metrics

Product Status

References

Problem Types