CVE-2026-27677

Root

Cause

The vulnerability resides in the SAP S/4HANA OData Service for Manage Reference Equipment. Due to missing authorization checks, the OData endpoints do not properly verify that the requesting user has the necessary privileges to modify child entities. This flaw allows an attacker to bypass intended access controls and perform unauthorized modifications or deletions.

Exploitation

Prerequisites

An attacker must have network access to the OData service endpoint. No special privileges are required; the missing authorization check means any authenticated or unauthenticated user (depending on service configuration) could exploit this vulnerability. The attack vector is over the network, and no user interaction is needed beyond sending crafted OData requests.

Impact

Successful exploitation enables an attacker to update or delete child entities within the Manage Reference Equipment service. This has a high impact on integrity, as data can be altered or removed without proper authorization. Confidentiality and availability are not affected according to the official description [1].

Mitigation

SAP has addressed this issue in its monthly Security Patch Day [1]. Organizations running SAP S/4HANA should apply the relevant security note or support package as detailed in SAP's security notes portal. There is no indication that this CVE is listed on CISA's KEV, but prompt patching is recommended due to the integrity risk.