CVE-2025-26656

Vulnerability

Overview

The OData Service in SAP Manage Purchasing Info Records fails to perform necessary authorization checks for authenticated users. This missing access control allows an authenticated user to perform actions that should be restricted, leading to privilege escalation within the application. The root cause is the absence of proper authorization validation in the OData service endpoint.

Exploitation

Prerequisites

An attacker must be authenticated to the SAP system. No special network position is required beyond normal access to the SAP application. The attacker can send crafted OData requests to the vulnerable service to bypass intended access controls and escalate their privileges.

Impact

The vulnerability has a low impact on integrity, as per the CVSS v3 score of 4.3 (Medium). An attacker could potentially modify purchasing info records or related data, but the confidentiality and availability of the system are not affected. The privilege escalation is limited to the scope of the Manage Purchasing Info Records functionality.

Mitigation

SAP has released a security note addressing this vulnerability as part of its regular Security Patch Day [1]. Administrators should apply the relevant patch to remediate the issue. The reference provides general guidance on SAP security maintenance and patch deployment [1].