CVE-2026-44749
SAP Gateway Information Disclosure via Error Message Injection
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | sap_gateway | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SAP Gateway, where attackers can inject content into error messages.
This injection can cause the error messages to disclose request artefacts such as regex patterns and reveal the underlying URI parsing logic.
The impact on confidentiality is considered low, and there is no impact on integrity or availability.
How can this vulnerability impact me? :
The vulnerability can lead to the disclosure of certain internal request details, like regex patterns and URI parsing logic, through error messages.
This may provide attackers with additional information about the system's internal workings, which could potentially aid in further attacks.
However, the overall impact on confidentiality is low, and there is no effect on data integrity or system availability.