{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27676", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:10.513Z", "datePublished": "2026-04-14T00:07:12.657Z", "dateUpdated": "2026-04-14T13:14:18.632Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:12.657Z"}, "title": "Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA OData Service (Manage Technical Object Structures)", "versions": [{"status": "affected", "version": "S4CORE 109"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3711682"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27676", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:55:22.095236Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:18.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27676", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:55:22.095236Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:16.676Z"}}], "cna": {"title": "Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA OData Service (Manage Technical Object Structures)", "versions": [{"status": "affected", "version": "S4CORE 109"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3711682"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:12.657Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27676", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:18.632Z", "dateReserved": "2026-02-23T17:50:10.513Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:07:12.657Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted."}], "id": "CVE-2026-27676", "lastModified": "2026-04-14T00:16:05.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:05.987", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3711682"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 109"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP S/4HANA OData Service (Manage Technical Object Structures)", "source": "cna", "vendor": "SAP_SE"}, "product": "s/4hana", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T01:23:26.972893+00:00", "value": {"mitigation_remediation": ["Apply SAP Note 3711682 to patch the OData service and eliminate the missing authorization checks.", "Verify that only authenticated and authorized users have write or delete rights against the affected OData endpoints.", "Restrict network access to the OData service, ensuring that only trusted hosts or VPN connections can reach it.", "If a patch cannot be deployed immediately, consider disabling the exposed OData endpoints or applying temporary configuration filters to block write/delete operations."], "summary": {"action": "Apply Patch", "impact": "Integrity Compromise"}, "threat_synthesis": {"affected_systems": "The affected system is SAP S/4HANA, specifically the OData Service for managing technical object structures. No specific software version details are provided in the report.", "description_and_impact": "A missing authorization check in the SAP S/4HANA OData Service for managing technical object structures allows an attacker to update or delete child entities through exposed OData endpoints. The flaw leads to unauthorized modification of data, resulting in a low-level impact on data integrity, while confidentiality and availability remain unaffected. The weakness is a classic missing authorization control (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low severity overall, and no EPSS score is available, so the exploitation likelihood is uncertain. Because the vulnerability requires only access to the exposed OData endpoints, an attacker could exploit it from any network segment that can reach those services, assuming no authentication checks are in place. Although the impact on confidentiality and availability is minimal, the ability to alter or delete data could disrupt business processes, warranting prompt attention. The vulnerability is not listed in the CISA KEV catalog, but it still poses an integrity risk that should be mitigated."}}}}, "created": "2026-04-14T16:16:30.035865+00:00", "updated": "2026-04-14T16:31:26.530417+00:00", "vendors": ["sap", "sap$PRODUCT$s/4hana"]}