{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0513", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:51.573Z", "datePublished": "2026-01-13T01:15:57.635Z", "dateUpdated": "2026-01-13T14:40:20.471Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SRM_SERVER 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "713"}, {"status": "affected", "version": "714"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted.</p>"}], "value": "Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-01-13T01:15:57.635Z"}, "references": [{"url": "https://me.sap.com/notes/3638716"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:39:47.890011Z", "id": "CVE-2026-0513", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:40:20.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0513", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T14:39:47.890011Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:39:51.565Z"}}], "cna": {"title": "Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "versions": [{"status": "affected", "version": "SRM_SERVER 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "713"}, {"status": "affected", "version": "714"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3638716"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-01-13T01:15:57.635Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0513", "state": "PUBLISHED", "dateUpdated": "2026-01-13T14:40:20.471Z", "dateReserved": "2025-12-09T22:06:51.573Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-01-13T01:15:57.635Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:supplier_relationship_management:700:*:*:*:*:*:*:*", "matchCriteriaId": "069741F5-9DC2-442A-B48B-B0C68A3A6950", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supplier_relationship_management:701:*:*:*:*:*:*:*", "matchCriteriaId": "0C2110DB-3940-47AF-B878-EB8C6B4E8522", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supplier_relationship_management:702:*:*:*:*:*:*:*", "matchCriteriaId": "292B51A4-91A2-49C7-A31D-C70DEB620FEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supplier_relationship_management:713:*:*:*:*:*:*:*", "matchCriteriaId": "D9A86731-3213-4ACD-968E-0EA7BEA1192D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supplier_relationship_management:714:*:*:*:*:*:*:*", "matchCriteriaId": "EEE98FDD-55FA-4F88-AD58-7FE927129F97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted."}], "id": "CVE-2026-0513", "lastModified": "2026-01-22T18:48:53.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@sap.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-13T02:15:53.957", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3638716"}, {"source": "cna@sap.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:47:04.707235+00:00", "value": {"mitigation_remediation": ["Apply the SAP Security Update referenced by SAP Note 3638716 to resolve the open redirect flaw.", "Test the system after the patch to confirm that URLs no longer redirect to external domains.", "If the patch cannot be applied immediately, configure the application to reject or sanitize redirects, or whitelist allowed external domains."], "summary": {"action": "Apply Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "Version 700, 701, 702, 713, and 714 of SAP Supplier Relationship Management (SICF Handler in SRM Catalog) are affected. No detailed sub\u2011release information is available, but all installations of these major releases should be considered vulnerable until the SAP note 3638716 update is applied.", "description_and_impact": "An unprivileged user can trigger an Open Redirect by visiting a specially crafted URL in the SAP Supplier Relationship Management SICF Handler that will redirect the victim to an attacker\u2011controlled site. The vulnerability does not compromise data integrity beyond redirection; confidentiality and availability remain unaffected. The principal risk is that users may be led to phishing or malicious sites, but the attack does not directly alter application data.", "risk_and_exploitability": "With a Base Score of 4.7, the CVSS profile places the issue in the Medium range. The EPSS value is reported as less than 1\u202f% and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating a low probability of exploitation at this time. Based on the description, the likely attack vector is an unauthenticated web request that a user clicks on or follows, leading to the redirection. The exploitation requires only delivery of a crafted URL and does not need credentials or privileged access."}}}}, "created": "2026-01-13T09:27:03.239270+00:00", "updated": "2026-04-18T07:00:11.339248+00:00", "vendors": ["sap", "sap$PRODUCT$supplier_relationship_management"]}