CVE-2026-0509

Published: Feb 10, 2026Modified: Feb 17, 2026

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Exploitability: 3.1 / Impact: 5.8

Source: CNA

Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

Affected (14)

Products: Sap: Netweaver As Abap Kernel, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc

Sap

3 products

Netweaver As Abap Kernel

Netweaver As Abap Krnl64nuc

Netweaver As Abap Krnl64uc

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Sap Netweaver As Abap Kernel	Version 7.22
Sap Netweaver As Abap Kernel	Version 7.53
Sap Netweaver As Abap Kernel	Version 7.54
Sap Netweaver As Abap Kernel	Version 7.77
Sap Netweaver As Abap Kernel	Version 7.89
Sap Netweaver As Abap Kernel	Version 7.93
Sap Netweaver As Abap Kernel	Version 9.16
Sap Netweaver As Abap Kernel	Version 9.18
Sap Netweaver As Abap Kernel	Version 9.19
Sap Netweaver As Abap Krnl64nuc	Version 7.22
Sap Netweaver As Abap Krnl64nuc	Version 7.22ext
Sap Netweaver As Abap Krnl64uc	Version 7.22
Sap Netweaver As Abap Krnl64uc	Version 7.22ext
Sap Netweaver As Abap Krnl64uc	Version 7.53

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://me.sap.com/notes/3674774

Source: cna@sap.com

Permissions Required

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Vendor Advisory

Timeline

No history available yet.