CVE-2026-0509
Undergoing Analysis Undergoing Analysis - In Progress
Improper Authorization in SAP NetWeaver ABAP Causes Integrity Impact

Publication date: 2026-02-10

Last updated on: 2026-02-17

Assigner: SAP SE

Description
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0509
EUVD
EUVD-2026-6472
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
sap netweaver_as_abap_krnl64uc 7.22ext
sap netweaver_as_abap_krnl64uc 7.53
sap netweaver_as_abap_krnl64uc 7.22
sap netweaver_as_abap_kernel 7.22
sap netweaver_as_abap_kernel 7.53
sap netweaver_as_abap_kernel 7.77
sap netweaver_as_abap_krnl64nuc 7.22ext
sap netweaver_as_abap_krnl64nuc 7.22
sap netweaver_as_abap_kernel 7.89
sap netweaver_as_abap_kernel 7.54
sap netweaver_as_abap_kernel 7.93
sap netweaver_as_abap_kernel 9.16
sap netweaver_as_abap_kernel 9.18
sap netweaver_as_abap_kernel 9.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SAP NetWeaver Application Server ABAP and ABAP Platform. It allows an authenticated user with low privileges to perform background Remote Function Calls (RFCs) without having the required S_RFC authorization in certain situations.

Essentially, this means that users who should not have permission to execute certain remote functions can bypass authorization checks and perform these actions.

Impact Analysis

The vulnerability can have a high impact on the integrity and availability of the affected SAP system.

Since unauthorized background Remote Function Calls can be executed, it may lead to unauthorized changes or disruptions in the system's operations.

However, there is no impact on the confidentiality of the application, meaning sensitive data exposure is not a concern in this case.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart