{"api_version":"1","generated_at":"2026-04-14T06:58:42+00:00","cve":"CVE-2026-34256","urls":{"html":"https://cve.report/CVE-2026-34256","api":"https://cve.report/api/cve/CVE-2026-34256.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34256","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34256"},"summary":{"title":"Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","description":"Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.","state":"PUBLISHED","assigner":"sap","published_at":"2026-04-14 01:16:03","updated_at":"2026-04-14 01:16:03"},"problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"cna@sap.com","type":"Primary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","version":"3.1"}}],"references":[{"url":"https://url.sap/sapsecuritypatchday","name":"https://url.sap/sapsecuritypatchday","refsource":"cna@sap.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://me.sap.com/notes/3731908","name":"https://me.sap.com/notes/3731908","refsource":"cna@sap.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34256","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34256","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected SAP_FIN 618","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 720","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 730","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected EA-FIN 617","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 700","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected SAPSCORE 135","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected S4CORE 102","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 103","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 104","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 105","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 106","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 107","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 108","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 109","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected EA-APPL 600","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 602","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 603","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 604","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 605","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","version":"affected 606","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","vendor":"SAP_SE","versions":[{"status":"affected","version":"SAP_FIN 618"},{"status":"affected","version":"720"},{"status":"affected","version":"730"},{"status":"affected","version":"EA-FIN 617"},{"status":"affected","version":"700"},{"status":"affected","version":"SAPSCORE 135"},{"status":"affected","version":"S4CORE 102"},{"status":"affected","version":"103"},{"status":"affected","version":"104"},{"status":"affected","version":"105"},{"status":"affected","version":"106"},{"status":"affected","version":"107"},{"status":"affected","version":"108"},{"status":"affected","version":"109"},{"status":"affected","version":"EA-APPL 600"},{"status":"affected","version":"602"},{"status":"affected","version":"603"},{"status":"affected","version":"604"},{"status":"affected","version":"605"},{"status":"affected","version":"606"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.</p>"}],"value":"Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"eng","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-14T00:08:26.993Z","orgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","shortName":"sap"},"references":[{"url":"https://me.sap.com/notes/3731908"},{"url":"https://url.sap/sapsecuritypatchday"}],"source":{"discovery":"UNKNOWN"},"title":"Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","assignerShortName":"sap","cveId":"CVE-2026-34256","datePublished":"2026-04-14T00:08:26.993Z","dateReserved":"2026-03-26T19:02:45.982Z","dateUpdated":"2026-04-14T00:08:26.993Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-14 01:16:03","lastModifiedDate":"2026-04-14 01:16:03","problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"cna@sap.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34256","Ordinal":"1","Title":"Missing Authorization check in SAP ERP and SAP S/4 HANA (Private","CVE":"CVE-2026-34256","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34256","Ordinal":"1","NoteData":"Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.","Type":"Description","Title":"Missing Authorization check in SAP ERP and SAP S/4 HANA (Private"}]}}}