CVE-2026-34264
Received Received - Intake
Information Disclosure via Authorization Bypass in SAP HCM for S/4HANA

Publication date: 2026-04-14

Last updated on: 2026-05-04

Assigner: SAP SE

Description
During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34264
EUVD
EUVD-2026-22174
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
sap human_capital_management s4hcmrxx_100
sap human_capital_management s4hcmrxx_101
sap human_capital_management s4hcmrxx_102
sap human_capital_management sap_hrrxx_600
sap human_capital_management sap_hrrxx_604
sap human_capital_management sap_hrrxx_608
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in SAP Human Capital Management for SAP S/4HANA during authorization checks. The system returns specific messages that allow an authenticated user with low privileges to guess and enumerate content beyond their authorized scope.

As a result, sensitive information can be disclosed to unauthorized users, impacting confidentiality. However, the integrity and availability of the system are not affected.

Impact Analysis

The main impact of this vulnerability is the disclosure of sensitive information to users who should not have access to it. This can lead to unauthorized exposure of confidential data.

Since the vulnerability affects confidentiality but not integrity or availability, the risk primarily involves information leakage rather than data alteration or service disruption.

Compliance Impact

This vulnerability leads to the disclosure of sensitive information due to unauthorized enumeration beyond an authenticated user's privileges, which impacts confidentiality.

Such unauthorized disclosure of sensitive data can negatively affect compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart