{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0490", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:33.611Z", "datePublished": "2026-02-10T03:01:20.134Z", "dateUpdated": "2026-02-10T16:34:13.825Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP BusinessObjects BI Platform", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "ENTERPRISE 430"}, {"status": "affected", "version": "2025"}, {"status": "affected", "version": "2027"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity.</p>"}], "value": "SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:01:20.134Z"}, "references": [{"url": "https://me.sap.com/notes/3654236"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Denial of service (DOS) in SAP BusinessObjects BI Platform", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:33:57.484626Z", "id": "CVE-2026-0490", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:34:13.825Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0490", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:33.611Z", "datePublished": "2026-02-10T03:01:20.134Z", "dateUpdated": "2026-02-10T16:34:13.825Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP BusinessObjects BI Platform", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "ENTERPRISE 430"}, {"status": "affected", "version": "2025"}, {"status": "affected", "version": "2027"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity.</p>"}], "value": "SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:01:20.134Z"}, "references": [{"url": "https://me.sap.com/notes/3654236"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Denial of service (DOS) in SAP BusinessObjects BI Platform", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0490", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:33:57.484626Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:34:09.559Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430:*:*:*:enterprise:*:*:*", "matchCriteriaId": "8354981E-4A5F-4E5E-AF3A-283D5922DF90", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2025:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CEEB4426-D0A6-40D4-B053-8A47E8E0700D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2027:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C532D05D-B06C-4BAB-84D1-5127F3A78977", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity."}, {"lang": "es", "value": "SAP BusinessObjects BI Platform permite a un atacante no autenticado elaborar una solicitud de red espec\u00edfica al punto final de confianza que rompe la autenticaci\u00f3n, lo que impide que los usuarios leg\u00edtimos accedan a la plataforma. Como resultado, tiene un alto impacto en la disponibilidad, pero ning\u00fan impacto en la confidencialidad y la integridad."}], "id": "CVE-2026-0490", "lastModified": "2026-02-17T16:06:59.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-02-10T04:16:01.873", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3654236"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "ENTERPRISE 430"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2027"}}], "product": "businessobjects_bi_platform", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-18T12:54:44.318395+00:00", "value": {"mitigation_remediation": ["Apply the SAP security patch referenced in SAP Note\u00a03654236 or any subsequent update that addresses the authentication failure in BusinessObjects BI Platform.", "If a patch is not immediately available, restrict access to the trusted endpoint by implementing network segmentation or firewall rules that limit connections to trusted IP ranges only.", "Monitor system logs for authentication failures and availability disruptions to detect any exploitation attempts."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected products are SAP BusinessObjects BI Platform in its enterprise edition for versions 2025, 2027, and 430. No specific minor or patch levels are listed, implying that all releases of these major versions may be vulnerable.", "description_and_impact": "SAP BusinessObjects BI Platform contains a vulnerability that permits an unauthenticated attacker to craft a specific network request to a trusted endpoint, causing the authentication mechanism to fail and preventing legitimate users from accessing the system. The weakness is a missing authorization check, classified as CWE\u2011862. The result is a denial of available service, while confidentiality and integrity remain unaffected.", "risk_and_exploitability": "The CVSS score of 7.5 categorizes this vulnerability as High. The EPSS score of less than 1% indicates that exploitation is currently unlikely. It is not listed in CISA's KEV catalog. The likely attack vector is from any network that can reach the trusted endpoint, as the vulnerability does not require authentication and can be triggered by a crafted request. A successful exploit would deny system availability and disrupt business operations."}}}}, "created": "2026-02-10T15:37:22.187850+00:00", "updated": "2026-04-18T13:00:08.757196+00:00", "vendors": ["sap", "sap$PRODUCT$businessobjects_bi_platform"]}