CVE-2026-27688
Analyzed
Analyzed - Analysis Complete
Missing Authorization Allows Sensitive Log Access in SAP NetWeaver
Publication date: 2026-03-10
Last updated on: 2026-06-03
Assigner: SAP SE
Description
Description
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | netweaver_application_server_abap | 702 |
| sap | netweaver_application_server_abap | 700 |
| sap | netweaver_application_server_abap | 701 |
| sap | netweaver_application_server_abap | 730 |
| sap | netweaver_application_server_abap | 731 |
| sap | netweaver_application_server_abap | 740 |
| sap | netweaver_application_server_abap | 750 |
| sap | netweaver_application_server_abap | 751 |
| sap | netweaver_application_server_abap | 752 |
| sap | netweaver_application_server_abap | 753 |
| sap | netweaver_application_server_abap | 754 |
| sap | netweaver_application_server_abap | 755 |
| sap | netweaver_application_server_abap | 756 |
| sap | netweaver_application_server_abap | 757 |
| sap | netweaver_application_server_abap | 758 |
| sap | netweaver_application_server_abap | 816 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
