CVE-2026-40133

Vulnerability

Overview

CVE-2026-40133 is a missing authorization check vulnerability in SAP S/4HANA Condition Maintenance. The root cause is that the application fails to properly verify whether an authenticated user has the necessary permissions to access or modify condition table records. This flaw allows an attacker with valid credentials to bypass intended access controls.

Exploitation

An attacker must be authenticated to the SAP S/4HANA system. No additional privileges are required beyond a valid user account. The attack surface is the Condition Maintenance functionality, where the missing check permits unauthorized operations on condition table records. The attacker can view and modify data that should be restricted, and also potentially disrupt legitimate users' access to those records.

Impact

Successful exploitation results in low impact on confidentiality and integrity, as the attacker can read and alter condition table data. Additionally, the vulnerability can cause low impact on availability by preventing legitimate users from accessing the same records. The overall CVSS v3 score is 6.3 (Medium).

Mitigation

SAP has addressed this vulnerability in a security note released as part of its monthly Security Patch Day [1]. Organizations running SAP S/4HANA should apply the relevant patch to remediate the issue. No workarounds are mentioned in the available sources.