CVE-2026-40134
Received Received - Intake
Authorization Bypass in SAP Incentive and Commission Management

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: SAP SE

Description
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-40134
EUVD
EUVD-2026-29363
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap incentive_and_commission_management *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the SAP Incentive and Commission Management application due to insufficient authorization checks. Authenticated users are able to invoke a remote-enabled function module that allows them to perform table update operations without proper permissions.

The vulnerability affects the integrity of the application but does not impact confidentiality or availability.


How can this vulnerability impact me? :

The vulnerability can impact the integrity of your data within the SAP Incentive and Commission Management application by allowing unauthorized table updates.

However, it does not affect the confidentiality or availability of the application, meaning sensitive data exposure or service disruption are not concerns related to this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart