CVE-2026-40132
Received Received - Intake
Authorization Bypass in SAP SEM Scorecard

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: SAP SE

Description
Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the applicationοΏ½s availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-40132
EUVD
EUVD-2026-29362
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap strategic_enterprise_management *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SAP Strategic Enterprise Management, specifically in the Scorecard Wizard component within Business Server Pages. It is caused by a missing authorization check, which allows an authenticated attacker to access information they should not be authorized to view.

Additionally, the attacker can change default settings and modify value fields, which can mislead risk evaluations and falsely lower assessed risk levels.

The impact on confidentiality and integrity is considered low, and there is no impact on the availability of the application.

Impact Analysis

An attacker exploiting this vulnerability could gain unauthorized access to sensitive information within the SAP Strategic Enterprise Management system.

They could also alter default settings and modify value fields, which may lead to incorrect risk evaluations and falsely lower the assessed risk levels.

This could result in decisions being made based on inaccurate data, potentially affecting business risk management processes.

However, the overall impact on confidentiality and integrity is low, and the availability of the application is not affected.

Compliance Impact

This vulnerability allows an authenticated attacker to access unauthorized information and modify default settings, which can mislead risk evaluations and falsely lower assessed risk levels. Such unauthorized access and data manipulation could potentially impact compliance with standards and regulations that require strict controls on data confidentiality and integrity, such as GDPR and HIPAA.

However, the impact is described as low on confidentiality and integrity, and there is no impact on availability. The specific effect on compliance would depend on the sensitivity of the data accessed or altered and the regulatory requirements for protecting that data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart