CVE-2026-27675
ABAP Code Injection in SAP Landscape Transformation RFC Module
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | landscape_transformation | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in SAP Landscape Transformation within an RFC-exposed function module. It allows a highly privileged attacker to inject arbitrary ABAP code and operating system commands.
While the attacker can modify some information, they do not have control over the kind or degree of modification.
The overall impact is low on integrity, and there is no impact on confidentiality or availability.
How can this vulnerability impact me? :
This vulnerability could allow a high privileged adversary to modify some information within the SAP Landscape Transformation system.
However, the attacker does not have control over the type or extent of the modifications, resulting in a low impact on data integrity.
There is no impact on confidentiality or availability, so sensitive data exposure or system downtime are not expected consequences.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a high privileged adversary to inject arbitrary ABAP code and operating system commands, which could lead to modification of some information. However, the impact on integrity is low, and confidentiality and availability are not affected.
Given the low impact on integrity and no impact on confidentiality or availability, the vulnerability poses a limited risk to compliance with standards and regulations such as GDPR or HIPAA, which emphasize protection of confidentiality and integrity of sensitive data.
Nevertheless, any unauthorized modification of information could potentially raise concerns under these regulations, depending on the context and sensitivity of the affected data.