CVE-2026-0497

Vulnerability

Overview

CVE-2026-0497 affects the SAP Product Designer Web UI component of Business Server Pages (BSP). The vulnerability allows authenticated users who do not hold administrative privileges to access non-sensitive information that should otherwise be restricted. The root cause lies in insufficient access control checks within the Web UI, enabling a low-severity information disclosure [1].

Exploitation

Prerequisites

An attacker must first obtain valid authentication credentials for a non-administrative user account on the SAP system. No special network position or additional privileges are required beyond standard user access. The attack vector is over the network, and the complexity is low, as the vulnerability can be triggered through normal web requests to the affected UI component [1].

Impact

Successful exploitation results in the disclosure of non-sensitive information, which may include configuration details or metadata that could aid in further reconnaissance. The CVSS v3 base score of 4.3 (Medium) reflects a low impact on confidentiality, with no impact on integrity or availability [1].

Mitigation

SAP has released a security note as part of its regular Patch Day cycle. Administrators should apply the provided patch to correct the access control flaw. No workarounds have been published, and the vulnerability is not known to be exploited in the wild [1].