CVE-2026-34264
Received Received - Intake

Information Disclosure via Authorization Bypass in SAP HCM for S/4HANA

Vulnerability report for CVE-2026-34264, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-14

Last updated on: 2026-05-04

Assigner: SAP SE

Description

During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-14
Last Modified
2026-05-04
Generated
2026-07-06
AI Q&A
2026-04-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
sap human_capital_management s4hcmrxx_100
sap human_capital_management s4hcmrxx_101
sap human_capital_management s4hcmrxx_102
sap human_capital_management sap_hrrxx_600
sap human_capital_management sap_hrrxx_604
sap human_capital_management sap_hrrxx_608

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in SAP Human Capital Management for SAP S/4HANA during authorization checks. The system returns specific messages that allow an authenticated user with low privileges to guess and enumerate content beyond their authorized scope.

As a result, sensitive information can be disclosed to unauthorized users, impacting confidentiality. However, the integrity and availability of the system are not affected.

Compliance Impact

This vulnerability leads to the disclosure of sensitive information due to unauthorized enumeration beyond an authenticated user's privileges, which impacts confidentiality.

Such unauthorized disclosure of sensitive data can negatively affect compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.

Impact Analysis

The main impact of this vulnerability is the disclosure of sensitive information to users who should not have access to it. This can lead to unauthorized exposure of confidential data.

Since the vulnerability affects confidentiality but not integrity or availability, the risk primarily involves information leakage rather than data alteration or service disruption.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart