CVE-2026-27672
Description
The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Material Master application lacks authorization checks for authenticated users when executing reports, exposing sensitive information.
Vulnerability
Details The Material Master application in SAP fails to enforce authorization checks for authenticated users when executing reports. This missing access control allows users to access report functionality without proper entitlement validation, leading to information disclosure.
Exploitation
An authenticated user can exploit this vulnerability by simply executing reports that should require additional authorization. No special privileges or network position are required beyond standard user access to the application. The attack vector is through the application's reporting interface.
Impact
Successful exploitation results in the disclosure of sensitive material master data. The confidentiality impact is low, as per the CVSS score, and there is no impact on integrity or availability of the system. The vulnerability does not allow data modification or denial of service.
Mitigation
SAP has addressed this vulnerability through its Security Patch Day process. Administrators should apply the relevant SAP Security Note as soon as possible. For detailed information and patch availability, refer to SAP Security Notes in SAP for Me [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.