CVE-2026-34256

Vulnerability

Overview

CVE-2026-34256 describes a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise). The flaw resides in a particular ABAP report that, when executed by an authenticated attacker, can overwrite any existing eight-character executable ABAP report without proper authorization. This bypasses the intended access controls, allowing unauthorized modification of report code.

Exploitation

Prerequisites

An attacker must have valid authentication credentials to the SAP system. No additional privileges are required beyond standard user access. The attack can be carried out from any network position where the SAP system is reachable (e.g., via SAP GUI or RFC). The attacker executes the vulnerable ABAP report to overwrite a target report, replacing its code with arbitrary content.

Impact

Assessment

Successful exploitation primarily affects availability: if the overwritten report is subsequently executed, its intended functionality becomes unavailable. There is a limited impact on integrity confined to the affected report (the overwritten report's code is altered), while confidentiality remains unaffected. The CVSS v3 base score is 7.1 (High), reflecting the potential for service disruption.

Mitigation

Status

SAP has addressed this vulnerability through its regular Security Patch Day process. Customers are advised to apply the relevant SAP Security Note as soon as possible. The SAP Security Patch Day portal [1] provides general guidance on obtaining and implementing security corrections. No workarounds have been published; patching is the recommended course of action.