CVE-2026-40133
SAP S/4HANA Condition Maintenance Authorization Bypass
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | s_4hana | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is recommended to apply the relevant SAP security patches as provided by SAP Security Notes and updates.
Regularly review SAP Security Notes and apply patches promptly to address authorization check issues in SAP S/4HANA Condition Maintenance.
Can you explain this vulnerability to me?
This vulnerability exists in SAP S/4HANA Condition Maintenance due to a missing authorization check. An authenticated attacker can exploit this flaw to gain unauthorized access to view and modify condition table records.
The impact on confidentiality and integrity of the data is considered low, but the attacker can still alter data they should not have access to.
Additionally, this vulnerability may cause legitimate users to be unable to access these records, resulting in a low impact on application availability.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized viewing and modification of condition table records within SAP S/4HANA, which may compromise the accuracy and trustworthiness of your data.
It may also disrupt normal operations by preventing legitimate users from accessing necessary records, affecting application availability.
Overall, the impacts on confidentiality, integrity, and availability are considered low but could still affect business processes relying on this data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to gain unauthorized access to view and modify condition table records in SAP S/4HANA, impacting the confidentiality and integrity of data. Such unauthorized access and data modification could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data access and integrity.
However, the impact is described as low, which may limit the severity of compliance issues, but any unauthorized data access or modification can still pose risks under these regulations.