CVE-2026-27688
Missing Authorization Allows Sensitive Log Access in SAP NetWeaver
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | netweaver_application_server_for_abap | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability is limited to confidentiality. An attacker with the necessary privileges could read sensitive information from the Database Analyzer Log Files. However, the integrity and availability of the system are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability exists due to a missing authorization check in SAP NetWeaver Application Server for ABAP. An authenticated attacker who has user privileges and the ability to execute a specific RFC function module can read Database Analyzer Log Files. This means the attacker could potentially escalate their privileges to access sensitive data.