CVE-2026-40132

The vulnerability resides in the Scorecard Wizard component of SAP Strategic Enterprise Management, implemented with Business Server Pages (BSP). Due to a missing authorization check, the application fails to enforce proper access controls on specific function calls. This flaw allows an authenticated user to perform operations beyond their intended privilege level.[1]

To exploit the vulnerability, an attacker must be authenticated to the SAP system. No special privileges or network conditions beyond normal authenticated access are required. The attacker can directly invoke the vulnerable wizard functionality to query or modify data that should be restricted based on user roles.[1]

The impact is twofold: confidentiality is affected because the attacker can view information they are not authorized to see. Integrity is also compromised, as the attacker can change default settings and modify value fields. This ability to tamper with risk-related fields can lead to misleading risk evaluations and falsely lower assessed risk levels, potentially affecting business decisions. Availability of the application is not impacted.[1]

SAP has released a security note as part of its regular Security Patch Day. Customers are advised to implement the provided fix by SAP Security Notes. apply the corresponding correction notes promptly to mitigate the risk. No workarounds are described.[1]