CVE-2026-0506
Missing Authorization Check in SAP ABAP RFC Enables Data Manipulation
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | application_server_abap | * |
| sap | abap_platform | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authorization Check in SAP Application Server ABAP and ABAP Platform. An authenticated attacker can misuse a Remote Function Call (RFC) function to execute form routines (FORMs) within the ABAP system. By exploiting this, the attacker can write or modify data accessible via these FORM routines and invoke system functionality exposed through them. This leads to a high impact on data integrity and system availability, although confidentiality is not affected.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to alter or write data within the ABAP system and invoke system functions improperly. This can compromise the integrity and availability of the system, potentially causing data corruption or system disruptions. However, the confidentiality of data remains unaffected.