CVE-2025-26656Missing Authorization in SE S 4hana

CWE-862Missing AuthorizationCWE-416Use After Free4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 75.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE S 4hana
Timeline
PublishedMar 11

Description

OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5sap_se/s_4hana4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-734v-c3wv-7593: OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to esc2025-03-11
CVEList
Missing Authorization check in S/4HANA (Manage Purchasing Info Records)2025-03-11

📋Vendor Advisories

1
Microsoft
drm/amdgpu: fix use-after-free bug2024-04-09
CVE-2025-26656 — Missing Authorization in SE S 4hana | cvebase