CVE-2026-0493

Vulnerability

Overview

CVE-2026-0493 describes a Cross-Site Request Forgery (CSRF) vulnerability in the SAP Fiori App Intercompany Balance Reconciliation. The root cause is that the application accepts state-changing requests using an inappropriate or non-standard request type, deviating from expected request semantics. This allows an attacker to craft a malicious request that, when executed by an authenticated user, performs unintended actions without the user's consent [1].

Exploitation

Conditions

To exploit this vulnerability, an attacker must trick an authenticated user into visiting a malicious page or clicking a crafted link while the user has an active session with the affected SAP Fiori app. No special authentication is needed beyond the victim's existing session; the attacker does not need to be authenticated themselves. The attack vector is network-based and does not require man-in-the-middle positioning.

Impact

Successful exploitation results in a low impact on system integrity, as defined by the CVSS score of 4.3. The attacker can perform state-changing operations in the Intercompany Balance Reconciliation app on behalf of the victim. There is no impact on confidentiality or availability, meaning no data disclosure or service disruption occurs.

Mitigation

SAP has addressed this vulnerability in its regularly scheduled Security Patch Day. The fix is delivered via a SAP Security Note. Users are advised to implement the correction as soon as possible by accessing the note through SAP for Me or by applying the latest support package for the affected component [1].