CVE-2026-44745 PUBLISHED

Open Redirect vulnerability in SAP Approuter

Assigner: sap
Reserved: 07.05.2026 Published: 14.07.2026 Updated: 14.07.2026

SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results in a high impact to the confidentiality and integrity with no impact on the availability of the application.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 8.1

Product Status

Vendor SAP_SE
Product SAP Approuter
Versions Default: unaffected
  • Version SAP Approuter node.js package < 21.2.0 is affected

References

Problem Types