{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34256", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-03-26T19:02:45.982Z", "datePublished": "2026-04-14T00:08:26.993Z", "dateUpdated": "2026-04-14T13:14:17.750Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:08:26.993Z"}, "title": "Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)", "versions": [{"status": "affected", "version": "SAP_FIN 618"}, {"status": "affected", "version": "720"}, {"status": "affected", "version": "730"}, {"status": "affected", "version": "EA-FIN 617"}, {"status": "affected", "version": "700"}, {"status": "affected", "version": "SAPSCORE 135"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "EA-APPL 600"}, {"status": "affected", "version": "602"}, {"status": "affected", "version": "603"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "605"}, {"status": "affected", "version": "606"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3731908"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34256", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:53:55.826414Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:17.750Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34256", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:53:55.826414Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:04.258Z"}}], "cna": {"title": "Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)", "versions": [{"status": "affected", "version": "SAP_FIN 618"}, {"status": "affected", "version": "720"}, {"status": "affected", "version": "730"}, {"status": "affected", "version": "EA-FIN 617"}, {"status": "affected", "version": "700"}, {"status": "affected", "version": "SAPSCORE 135"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "EA-APPL 600"}, {"status": "affected", "version": "602"}, {"status": "affected", "version": "603"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "605"}, {"status": "affected", "version": "606"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3731908"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:08:26.993Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34256", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:17.750Z", "dateReserved": "2026-03-26T19:02:45.982Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:08:26.993Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected."}], "id": "CVE-2026-34256", "lastModified": "2026-04-14T01:16:03.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T01:16:03.530", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3731908"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_FIN 618"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "720"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "730"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "EA-FIN 617"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAPSCORE 135"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "103"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "104"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "105"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "106"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "107"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "109"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "EA-APPL 600"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "602"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "603"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "604"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "605"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "606"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)", "source": "cna", "vendor": "SAP_SE"}, "product": "erp", "vendor": "sap"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_FIN 618"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "720"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "730"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "EA-FIN 617"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAPSCORE 135"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "103"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "104"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "105"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "106"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "107"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "109"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "EA-APPL 600"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "602"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "603"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "604"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "605"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "606"}}], "original": {"product": "SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)", "source": "cna", "vendor": "SAP_SE"}, "product": "s/4_hana", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T02:51:31.523562+00:00", "value": {"mitigation_remediation": ["Apply the SAP security patch available at https://me.sap.com/notes/3731908", "Verify that your SAP ERP or SAP S/4 HANA installation is running the patched version as of the latest SAP security patch day", "If unable to apply the patch immediately, restrict or disable the vulnerable ABAP report and monitor for unauthorized attempts"], "summary": {"action": "Apply Patch", "impact": "Disruption of SAP ERP and SAP S/4 HANA availability by overwriting executable ABAP reports"}, "threat_synthesis": {"affected_systems": "The vulnerability affects SAP\u2019s ERP and SAP S/4 HANA systems, both in private cloud and on\u2011premise deployments. The CNA SAP SE has identified these products as impacted. Specific affected versions are not listed, so all running installations of these products could be at risk if they have not applied the available patch.", "description_and_impact": "A missing authorization check in SAP ERP and SAP S/4 HANA allows an authenticated attacker to execute a specific ABAP report that can overwrite any existing eight\u2011character executable ABAP report without the necessary authorization. The weakness is categorized as CWE\u2011862 (Missing Authorization). Once the overwritten report is run, its intended functionality can be lost, which results in a service disruption for the affected functionality. The integrity impact is restricted to the overwritten report, and no data confidentiality is compromised.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates a medium severity level. EPSS data is unavailable and the vulnerability is not included in CISA\u2019s KEV catalog, suggesting no publicly known exploits at this time. The primary attack vector is inferred to be an authenticated user in the SAP environment, as the missing authorization check only protects against users who appear to be authorized. Exploitation requires that the attacker possess valid credentials and sufficient rights to execute the vulnerable ABAP report. The impact after exploitation is limited to the availability of the overwritten report and its constituent functionality."}}}}, "created": "2026-04-14T16:16:23.637589+00:00", "updated": "2026-04-14T16:31:20.095751+00:00", "vendors": ["sap", "sap$PRODUCT$erp", "sap$PRODUCT$s/4_hana"]}