CVE-2026-34261

CVE-2026-34261 is a missing authorization vulnerability in SAP Business Analytics and SAP Content Management. The root cause is that certain remote function modules (RFMs) do not perform adequate authorization checks before executing requests, allowing an authenticated user to invoke them without proper permission validation [1].

To exploit the vulnerability, an attacker must have a valid authentication account in the SAP system. No special network position is required beyond normal application access. The attacker can issue crafted calls to the unprotected RFMs, bypassing intended permission checks [1].

The direct impact is a breach of confidentiality: the attacker can obtain sensitive information that should be restricted. There is no impact on integrity or availability, as the unauthorized calls only read data and do not modify or disrupt system operations [1].

SAP has addressed this issue through its Security Patch Day process, releasing a security note that provides a correction for the affected components or support package updates [1]. Administrators are strongly advised to apply the patch at the earliest opportunity, using the referenced SAP Security Note for their specific system versions.