CVE-2026-0506

CWE-862 — Missing Authorization4 documents4 sources

Severity

8.1HIGH

EPSS

0.1%

top 81.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Abap AND Abap Platform SAP Netweaver Application Server Abap

Timeline

PublishedJan 13

Description

Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_abap_and_abap_platform15 versions+14

▶NVDsap/netweaver_application15 versions+14

Patches

Patch: url.sap ↗

🔴Vulnerability Details

CVEList

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform↗2026-01-13

▶

GHSA

GHSA-mg77-v38f-9pm9: Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC functio↗2026-01-13

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0506 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶