CVE-2026-40134
Description
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SAP ICM insufficient authorization checks allow authenticated users to invoke a remote function module for unauthorized table updates, with low integrity impact.
Vulnerability
SAP Incentive and Commission Management (ICM) contains insufficient authorization checks in a remote-enabled function module. Authenticated users can invoke this module to perform table update operations without proper validation of their permissions [1].
Exploitation
An attacker must have valid authentication to the SAP system. No additional privileges or specific network position is required beyond network access to the ICM application. The vulnerability is remotely exploitable via the function module.
Impact
Successful exploitation results in unauthorized modification of database tables, but the impact on integrity is classified as low by SAP. There is no impact on confidentiality or availability.
Mitigation
SAP has addressed this vulnerability in its Security Patch Day. Administrators should apply the relevant security note as soon as possible [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.