CVE-2026-34264
Received Received - Intake
Information Disclosure via Authorization Bypass in SAP HCM for S/4HANA

Publication date: 2026-04-14

Last updated on: 2026-05-04

Assigner: SAP SE

Description
During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-05-04
Generated
2026-05-06
AI Q&A
2026-04-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34264
EUVD
EUVD-2026-22174
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
sap human_capital_management s4hcmrxx_100
sap human_capital_management s4hcmrxx_101
sap human_capital_management s4hcmrxx_102
sap human_capital_management sap_hrrxx_600
sap human_capital_management sap_hrrxx_604
sap human_capital_management sap_hrrxx_608
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in SAP Human Capital Management for SAP S/4HANA during authorization checks. The system returns specific messages that allow an authenticated user with low privileges to guess and enumerate content beyond their authorized scope.

As a result, sensitive information can be disclosed to unauthorized users, impacting confidentiality. However, the integrity and availability of the system are not affected.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability leads to the disclosure of sensitive information due to unauthorized enumeration beyond an authenticated user's privileges, which impacts confidentiality.

Such unauthorized disclosure of sensitive data can negatively affect compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.


How can this vulnerability impact me? :

The main impact of this vulnerability is the disclosure of sensitive information to users who should not have access to it. This can lead to unauthorized exposure of confidential data.

Since the vulnerability affects confidentiality but not integrity or availability, the risk primarily involves information leakage rather than data alteration or service disruption.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart