CVE-2026-23683

Vulnerability

Overview

The SAP Fiori App Intercompany Balance Reconciliation fails to enforce proper authorization checks for authenticated users. This missing validation allows a user to access functions or data they are not entitled to, leading to privilege escalation. The vulnerability has a CVSS v3 base score of 4.3 (Medium) and is described as having low impact on confidentiality, with no impact on integrity or availability [1].

Exploitation

Context

An attacker must be authenticated to the SAP system. No special network position or additional privileges are required beyond a valid user account. The weakness lies in the application-level authorization logic, meaning an authenticated user can invoke functions that should require higher privileges [1].

Impact

Assessment

Successful exploitation allows the attacker to gain unauthorized access to certain data or functions within the Intercompany Balance Reconciliation app, resulting in a limited breach of confidentiality. Integrity and availability are not affected [1].

Mitigation

SAP has addressed this vulnerability with the release of a security note as part of its monthly Security Patch Day. Organizations should apply the provided patch or upgrade to the corrected version. No workarounds or out-of-cycle fixes are mentioned [1].