{"api_version":"1","generated_at":"2026-04-22T21:39:18+00:00","cve":"CVE-2026-34261","urls":{"html":"https://cve.report/CVE-2026-34261","api":"https://cve.report/api/cve/CVE-2026-34261.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34261","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34261"},"summary":{"title":"Missing Authorization check in SAP Business Analytics and SAP Content Management","description":"Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.","state":"PUBLISHED","assigner":"sap","published_at":"2026-04-14 01:16:03","updated_at":"2026-04-17 15:18:16"},"problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"cna@sap.com","type":"Primary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://me.sap.com/notes/3705094","name":"https://me.sap.com/notes/3705094","refsource":"cna@sap.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://url.sap/sapsecuritypatchday","name":"https://url.sap/sapsecuritypatchday","refsource":"cna@sap.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34261","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34261","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"SAP_SE","product":"SAP Business Analytics and SAP Content Management","version":"affected S4HCMRXX 100","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP Business Analytics and SAP Content Management","version":"affected 101","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP Business Analytics and SAP Content Management","version":"affected 102","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP Business Analytics and SAP Content Management","version":"affected SAP_HRRXX 600","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP Business Analytics and SAP Content Management","version":"affected 604","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP Business Analytics and SAP Content Management","version":"affected 608","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"34261","cve":"CVE-2026-34261","epss":"0.000260000","percentile":"0.072260000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-34261","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-14T12:53:23.140179Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-14T13:14:17.473Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"SAP Business Analytics and SAP Content Management","vendor":"SAP_SE","versions":[{"status":"affected","version":"S4HCMRXX 100"},{"status":"affected","version":"101"},{"status":"affected","version":"102"},{"status":"affected","version":"SAP_HRRXX 600"},{"status":"affected","version":"604"},{"status":"affected","version":"608"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.</p>"}],"value":"Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"eng","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-14T00:08:51.232Z","orgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","shortName":"sap"},"references":[{"url":"https://me.sap.com/notes/3705094"},{"url":"https://url.sap/sapsecuritypatchday"}],"source":{"discovery":"UNKNOWN"},"title":"Missing Authorization check in SAP Business Analytics and SAP Content Management","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","assignerShortName":"sap","cveId":"CVE-2026-34261","datePublished":"2026-04-14T00:08:51.232Z","dateReserved":"2026-03-26T19:02:45.983Z","dateUpdated":"2026-04-14T13:14:17.473Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-14 01:16:03","lastModifiedDate":"2026-04-17 15:18:16","problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"cna@sap.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34261","Ordinal":"1","Title":"Missing Authorization check in SAP Business Analytics and SAP Co","CVE":"CVE-2026-34261","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34261","Ordinal":"1","NoteData":"Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.","Type":"Description","Title":"Missing Authorization check in SAP Business Analytics and SAP Co"}]}}}