CVE-2026-40133
Received Received - Intake
SAP S/4HANA Condition Maintenance Authorization Bypass

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: SAP SE

Description
Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-40133
EUVD
EUVD-2026-29360
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap s_4hana *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, it is recommended to apply the relevant SAP security patches as provided by SAP Security Notes and updates.

Regularly review SAP Security Notes and apply patches promptly to address authorization check issues in SAP S/4HANA Condition Maintenance.

Executive Summary

This vulnerability exists in SAP S/4HANA Condition Maintenance due to a missing authorization check. An authenticated attacker can exploit this flaw to gain unauthorized access to view and modify condition table records.

The impact on confidentiality and integrity of the data is considered low, but the attacker can still alter data they should not have access to.

Additionally, this vulnerability may cause legitimate users to be unable to access these records, resulting in a low impact on application availability.

Impact Analysis

The vulnerability can lead to unauthorized viewing and modification of condition table records within SAP S/4HANA, which may compromise the accuracy and trustworthiness of your data.

It may also disrupt normal operations by preventing legitimate users from accessing necessary records, affecting application availability.

Overall, the impacts on confidentiality, integrity, and availability are considered low but could still affect business processes relying on this data.

Compliance Impact

This vulnerability allows an authenticated attacker to gain unauthorized access to view and modify condition table records in SAP S/4HANA, impacting the confidentiality and integrity of data. Such unauthorized access and data modification could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data access and integrity.

However, the impact is described as low, which may limit the severity of compliance issues, but any unauthorized data access or modification can still pose risks under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart