CVE-2026-0509

CWE-862 — Missing Authorization4 documents4 sources

Severity

9.6CRITICAL

EPSS

0.0%

top 96.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Abap AND Abap Platform SAP Netweaver AS Abap Kernel SAP Netweaver AS Abap Krnl64nuc +1 more

Timeline

PublishedFeb 10

Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:HExploitability: 3.1 | Impact: 5.8

Affected Packages4 packages

▶CVEListV5sap_se/sap_netweaver_application_server_abap_and_abap_platform12 versions+11

▶NVDsap/netweaver_as_abap_kernel9 versions+8

▶NVDsap/netweaver_as_abap_krnl64uc7.22, 7.22ext, 7.53+2

▶NVDsap/netweaver_as_abap_krnl64nuc7.22, 7.22ext+1

🔴Vulnerability Details

CVEList

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform↗2026-02-10

▶

GHSA

GHSA-464q-7rxg-4rqx: SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls witho↗2026-02-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0509 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶