CVE-2026-40132
Authorization Bypass in SAP SEM Scorecard
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | strategic_enterprise_management | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SAP Strategic Enterprise Management, specifically in the Scorecard Wizard component within Business Server Pages. It is caused by a missing authorization check, which allows an authenticated attacker to access information they should not be authorized to view.
Additionally, the attacker can change default settings and modify value fields, which can mislead risk evaluations and falsely lower assessed risk levels.
The impact on confidentiality and integrity is considered low, and there is no impact on the availability of the application.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could gain unauthorized access to sensitive information within the SAP Strategic Enterprise Management system.
They could also alter default settings and modify value fields, which may lead to incorrect risk evaluations and falsely lower the assessed risk levels.
This could result in decisions being made based on inaccurate data, potentially affecting business risk management processes.
However, the overall impact on confidentiality and integrity is low, and the availability of the application is not affected.