{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27678", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:10.513Z", "datePublished": "2026-04-14T00:07:33.397Z", "dateUpdated": "2026-04-14T13:14:18.299Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:33.397Z"}, "title": "Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA Backend OData Service (Manage Reference Structures)", "versions": [{"status": "affected", "version": "S4CORE 109"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3715177"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27678", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:54:47.817871Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:18.299Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27678", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:54:47.817871Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:12.551Z"}}], "cna": {"title": "Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA Backend OData Service (Manage Reference Structures)", "versions": [{"status": "affected", "version": "S4CORE 109"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3715177"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:33.397Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27678", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:18.299Z", "dateReserved": "2026-02-23T17:50:10.513Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:07:33.397Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted."}], "id": "CVE-2026-27678", "lastModified": "2026-04-14T00:16:06.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:06.270", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3715177"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 109"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP S/4HANA Backend OData Service (Manage Reference Structures)", "source": "cna", "vendor": "SAP_SE"}, "product": "s/4hana", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T01:22:04.520741+00:00", "value": {"mitigation_remediation": ["Apply the security patch referenced in SAP Note\u00a03715177 to the SAP\u00a0S/4HANA backend OData Service.", "Verify that the authorized roles and permissions are correctly configured for OData access.", "Restrict network access to the OData service to trusted hosts or VPN users only.", "Monitor transaction logs for unauthorized create, update, or delete operations on child entities."], "summary": {"action": "Apply Patch", "impact": "Data Integrity"}, "threat_synthesis": {"affected_systems": "SAP\u00a0S/4HANA Backend OData Service (Manage Reference Structures) is the impacted product. The CVE specifically references SAP\u00a0SE\u2019s implementation of this service on the SAP\u00a0S/4HANA platform. No specific version numbers are supplied, so all deployments of this component may be affected until a fix is applied.", "description_and_impact": "The vulnerability arises from a missing authorization check in the SAP\u00a0S/4HANA backend OData Service for Manage Reference Structures. Because the service fails to validate user permissions, an attacker can modify or delete child entity records through exposed OData endpoints. This results in a breach of data integrity, allowing unauthorized changes to critical business data. The weakness corresponds to CWE\u2011862, Unauthorized Access.", "risk_and_exploitability": "The CVSS score for this issue is 6.5, indicating a moderately high potential for harm. EPSS data is not available, so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed as a known exploited vulnerability by CISA. An attacker would need network access to the SAP\u00a0S/4HANA system and appropriate credentials that grant access to the OData interface; once the request is sent, the missing check permits the update or deletion of data without further authorization."}}}}, "created": "2026-04-14T16:16:27.835518+00:00", "updated": "2026-04-14T16:31:24.301486+00:00", "vendors": ["sap", "sap$PRODUCT$s/4hana"]}