CVE-2026-44749
Awaiting Analysis Awaiting Analysis - Queue
SAP Gateway Information Disclosure via Error Message Injection

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: SAP SE

Description
The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44749
EUVD
EUVD-2026-31933
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap sap_gateway *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the SAP Gateway, where attackers can inject content into error messages.

This injection can cause the error messages to disclose request artefacts such as regex patterns and reveal the underlying URI parsing logic.

The impact on confidentiality is considered low, and there is no impact on integrity or availability.

Impact Analysis

The vulnerability can lead to the disclosure of certain internal request details, like regex patterns and URI parsing logic, through error messages.

This may provide attackers with additional information about the system's internal workings, which could potentially aid in further attacks.

However, the overall impact on confidentiality is low, and there is no effect on data integrity or system availability.

Compliance Impact

This vulnerability in the SAP Gateway allows attackers to inject content into error messages, which can lead to the disclosure of request artefacts and reveal underlying URI parsing logic. This results in a low impact on confidentiality, while integrity and availability remain unaffected.

Given the low impact on confidentiality, this vulnerability could potentially affect compliance with standards and regulations that require protection of sensitive data, such as GDPR and HIPAA, by increasing the risk of unauthorized information disclosure. However, since the impact is low and does not affect integrity or availability, the overall compliance risk may be limited but still present.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart