CVE-2026-40134
Received Received - Intake
Authorization Bypass in SAP Incentive and Commission Management

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: SAP SE

Description
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-01
AI Q&A
2026-05-12
EPSS Evaluated
2026-05-31
NVD
CVE-2026-40134
EUVD
EUVD-2026-29363
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap incentive_and_commission_management *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the SAP Incentive and Commission Management application due to insufficient authorization checks. Authenticated users are able to invoke a remote-enabled function module that allows them to perform table update operations without proper permissions.

The vulnerability affects the integrity of the application but does not impact confidentiality or availability.


How can this vulnerability impact me? :

The vulnerability can impact the integrity of your data within the SAP Incentive and Commission Management application by allowing unauthorized table updates.

However, it does not affect the confidentiality or availability of the application, meaning sensitive data exposure or service disruption are not concerns related to this issue.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability has a low impact on integrity and no impact on confidentiality or availability of the application.

Since there is no impact on confidentiality, the risk of unauthorized data disclosure is minimal, which suggests limited direct effect on compliance with data protection regulations such as GDPR or HIPAA.

However, the ability for authenticated users to perform unauthorized table update operations could affect data integrity, which may have indirect implications for compliance depending on the specific regulatory requirements for data accuracy and integrity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart