CVE-2026-34256
Received Received - Intake
Authorization Bypass in SAP ABAP Report Overwrite Causes Downtime

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: SAP SE

Description
Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-05-07
AI Q&A
2026-04-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34256
EUVD
EUVD-2026-22166
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sap erp *
sap s_4hana *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise). An authenticated attacker can execute a specific ABAP report that allows them to overwrite any existing eight-character executable ABAP report without proper authorization.

If the overwritten report is later executed, its intended functionality could become unavailable, causing disruption.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability impacts the availability of certain ABAP reports in SAP ERP and SAP S/4HANA systems by allowing an authenticated attacker to overwrite executable reports without authorization. The confidentiality of data remains unaffected, and the integrity impact is limited to the overwritten report.

Since the vulnerability primarily affects availability and has limited impact on integrity, it could potentially affect compliance with standards that require system availability and integrity, such as HIPAA and GDPR. However, there is no direct information provided about specific compliance implications or regulatory breaches.


How can this vulnerability impact me? :

Successful exploitation of this vulnerability impacts the availability of the affected ABAP reports, potentially causing them to become unusable.

There is a limited impact on integrity, confined only to the overwritten report, but confidentiality is not affected.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart