CVE-2026-44770
Received Received - Intake

Authorization Bypass in SAP Create Single Payment

Vulnerability report for CVE-2026-44770, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: SAP SE

Description

SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the application.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sap create_single_payment *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44770 is a vulnerability in SAP Create Single Payment where the application fails to perform necessary authorization checks for authenticated users. This means that a restricted user (someone with limited privileges) can access specific entity set keys, leading to the disclosure of sensitive information.

The vulnerability has a low impact on confidentiality, as it only allows unauthorized access to certain information. It does not affect the integrity or availability of the application, meaning data cannot be altered, and the system remains operational.

The CVSS v3.1 score for this vulnerability is 4.3 (Medium severity), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates the vulnerability is exploitable over a network (AV:N), requires low privileges (PR:L), and has no user interaction requirement (UI:N). The impact is limited to low confidentiality (C:L), with no impact on integrity (I:N) or availability (A:N).

Impact Analysis

If you are an organization using SAP Create Single Payment, this vulnerability could impact you in the following ways:

  • Unauthorized access to sensitive information: Restricted users may gain access to entity set keys, which could contain confidential data, leading to potential data leaks.
  • Compliance risks: Depending on the nature of the exposed data, this could violate internal policies or regulatory requirements, especially if the data includes personally identifiable information (PII) or financial details.
  • Reputation damage: If the vulnerability is exploited and data is exposed, it could harm your organization's reputation and erode customer or stakeholder trust.

However, the impact is limited to confidentiality, as the vulnerability does not allow attackers to modify data or disrupt system operations.

Compliance Impact

This vulnerability could have implications for compliance with several standards and regulations, depending on the type of data exposed:

  • GDPR (General Data Protection Regulation): If the exposed entity set keys contain personal data of EU citizens, unauthorized access could violate GDPR requirements for data protection and confidentiality. Organizations may face fines or penalties if they fail to implement adequate security measures to prevent such breaches.
  • HIPAA (Health Insurance Portability and Accountability Act): If the exposed data includes protected health information (PHI), this vulnerability could lead to non-compliance with HIPAA's Privacy and Security Rules, which mandate strict controls over access to sensitive health data.
  • Other regulations: Depending on the industry and jurisdiction, this vulnerability could also impact compliance with standards like PCI DSS (if payment-related data is exposed) or SOX (if financial reporting data is compromised).

Organizations should assess the nature of the exposed data and take corrective actions, such as applying patches or reconfiguring access controls, to mitigate compliance risks.

Mitigation Strategies

Based on the provided context, the immediate mitigation step is to apply the SAP Security Note referenced in the resources. This note likely contains patches or configuration changes to enforce proper authorization checks for authenticated users in SAP Create Single Payment.

  • Apply SAP Security Note 3713902 (Resource 1) to address the missing authorization checks.
  • Review user roles and permissions to ensure restricted users do not have access to sensitive entity set keys.
  • Monitor SAP system logs for unauthorized access attempts to the affected entity sets.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart