CVE-2026-40132
Authorization Bypass in SAP SEM Scorecard
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | strategic_enterprise_management | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SAP Strategic Enterprise Management, specifically in the Scorecard Wizard component within Business Server Pages. It is caused by a missing authorization check, which allows an authenticated attacker to access information they should not be authorized to view.
Additionally, the attacker can change default settings and modify value fields, which can mislead risk evaluations and falsely lower assessed risk levels.
The impact on confidentiality and integrity is considered low, and there is no impact on the availability of the application.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could gain unauthorized access to sensitive information within the SAP Strategic Enterprise Management system.
They could also alter default settings and modify value fields, which may lead to incorrect risk evaluations and falsely lower the assessed risk levels.
This could result in decisions being made based on inaccurate data, potentially affecting business risk management processes.
However, the overall impact on confidentiality and integrity is low, and the availability of the application is not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to access unauthorized information and modify default settings, which can mislead risk evaluations and falsely lower assessed risk levels. Such unauthorized access and data manipulation could potentially impact compliance with standards and regulations that require strict controls on data confidentiality and integrity, such as GDPR and HIPAA.
However, the impact is described as low on confidentiality and integrity, and there is no impact on availability. The specific effect on compliance would depend on the sensitivity of the data accessed or altered and the regulatory requirements for protecting that data.