CVE-2026-27688

Published: Mar 10, 2026Modified: Jun 3, 2026

5.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.1 / Impact: 1.4

Source: CNA

Description

Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected.

Affected (16)

Products: Sap: Netweaver Application Server Abap

Sap

1 product

Netweaver Application Server Abap

Configuration A

16 vulnerable

Vulnerable Software	Affected Versions
Sap Netweaver Application Server Abap	Version 700
Sap Netweaver Application Server Abap	Version 701
Sap Netweaver Application Server Abap	Version 702
Sap Netweaver Application Server Abap	Version 730
Sap Netweaver Application Server Abap	Version 731
Sap Netweaver Application Server Abap	Version 740
Sap Netweaver Application Server Abap	Version 750
Sap Netweaver Application Server Abap	Version 751
Sap Netweaver Application Server Abap	Version 752
Sap Netweaver Application Server Abap	Version 753
Sap Netweaver Application Server Abap	Version 754
Sap Netweaver Application Server Abap	Version 755
Sap Netweaver Application Server Abap	Version 756
Sap Netweaver Application Server Abap	Version 757
Sap Netweaver Application Server Abap	Version 758
Sap Netweaver Application Server Abap	Version 816

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://me.sap.com/notes/3704740

Source: cna@sap.com

Permissions Required

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Vendor Advisory

Timeline

No history available yet.