{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23689", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-01-14T18:26:17.297Z", "datePublished": "2026-02-10T03:03:09.536Z", "dateUpdated": "2026-02-27T14:27:50.545Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Supply Chain Management", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SCMAPO 713"}, {"status": "affected", "version": "714"}, {"status": "affected", "version": "SCM 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "712"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.</p>"}], "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-606", "description": "CWE-606: Unchecked Input for Loop Condition", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:03:09.536Z"}, "references": [{"url": "https://me.sap.com/notes/3703092"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Denial of service (DOS) in SAP Supply Chain Management", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T17:18:05.323367Z", "id": "CVE-2026-23689", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T14:27:50.545Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23689", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T17:18:05.323367Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T17:18:09.866Z"}}], "cna": {"title": "Denial of service (DOS) in SAP Supply Chain Management", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Supply Chain Management", "versions": [{"status": "affected", "version": "SCMAPO 713"}, {"status": "affected", "version": "714"}, {"status": "affected", "version": "SCM 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "712"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3703092"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-606", "description": "CWE-606: Unchecked Input for Loop Condition"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:03:09.536Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23689", "state": "PUBLISHED", "dateUpdated": "2026-02-27T14:27:50.545Z", "dateReserved": "2026-01-14T18:26:17.297Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-02-10T03:03:09.536Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:advanced_planning_and_optimization:713:*:*:*:*:*:*:*", "matchCriteriaId": "8E303C34-3616-489F-BEA3-456E302E2D38", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_planning_and_optimization:714:*:*:*:*:*:*:*", "matchCriteriaId": "82CF8FC0-AECD-4ACC-B823-45645A5B2D83", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:700:*:*:*:*:*:*:*", "matchCriteriaId": "A19AC4DB-E940-46AC-9E3D-4108B3F07BC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:701:*:*:*:*:*:*:*", "matchCriteriaId": "B0A1E0EC-CA14-4AA4-A798-E4E9AD59E45B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:702:*:*:*:*:*:*:*", "matchCriteriaId": "D0B74ECC-DC88-4171-B091-49BD76491336", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:712:*:*:*:*:*:*:*", "matchCriteriaId": "9172B1E7-CEDA-4A60-9915-E744FC1319FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected."}, {"lang": "es", "value": "Debido a una vulnerabilidad de consumo de recursos no controlado (denegaci\u00f3n de servicio), un atacante autenticado con privilegios de usuario regular y acceso a la red puede invocar repetidamente un m\u00f3dulo de funci\u00f3n habilitado remotamente con un par\u00e1metro de control de bucle excesivamente grande. Esto desencadena una ejecuci\u00f3n de bucle prolongada que consume recursos excesivos del sistema, lo que podr\u00eda dejar el sistema no disponible. La explotaci\u00f3n exitosa resulta en una condici\u00f3n de denegaci\u00f3n de servicio que afecta la disponibilidad, mientras que la confidencialidad y la integridad permanecen inafectadas."}], "id": "CVE-2026-23689", "lastModified": "2026-02-17T15:57:04.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "cna@sap.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-10T04:16:03.500", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3703092"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-606"}], "source": "cna@sap.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCMAPO 713"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "714"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM 700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "701"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "702"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "712"}}], "product": "supply_chain_management", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-18T12:53:08.659138+00:00", "value": {"mitigation_remediation": ["Apply the SAP Security Patch Day hotfix referenced in SAP Note\u00a03703092 to update all affected SAP Supply Chain Management and Advanced Planning and Optimization components.", "Limit the exposure of the vulnerable remote\u2011enabled function module by restricting its use to privileged roles or disabling it for non\u2011essential users.", "Monitor CPU and memory usage for abnormal spikes, and configure alerts to detect and respond to prolonged loop execution that could indicate exploitation."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects SAP Supply Chain Management products across versions 700 through 714, and also impacts Advanced Planning and Optimization versions 713 and 714. Authorized users with network access to the affected systems are able to trigger the vulnerability.", "description_and_impact": "This vulnerability is caused by an uncontrolled resource consumption flaw within a remote\u2011enabled function module. An authenticated user with normal privileges can repeatedly call the module with an overly large loop\u2011control parameter, forcing a long\u2011running loop that consumes significant CPU and memory resources. The result is a denial\u2011of\u2011service condition that makes the affected SAP Supply Chain Management system unavailable, while confidentiality and integrity of data remain unaffected.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity, but the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication, meaning that the attack surface is limited to users who already have legitimate system access. Nonetheless, once enabled, the attack can render the system unusable."}}}}, "created": "2026-02-10T15:37:18.300082+00:00", "updated": "2026-04-18T13:00:08.748288+00:00", "vendors": ["sap", "sap$PRODUCT$supply_chain_management"]}