{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24322", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-01-21T22:15:36.672Z", "datePublished": "2026-02-10T03:04:01.992Z", "dateUpdated": "2026-02-10T17:00:38.519Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Solution Tools Plug-In (ST-PI)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "ST-PI 2008_1_700"}, {"status": "affected", "version": "2008_1_710"}, {"status": "affected", "version": "740"}, {"status": "affected", "version": "758"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.</p>"}], "value": "SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:04:01.992Z"}, "references": [{"url": "https://me.sap.com/notes/3705882"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T17:00:20.371145Z", "id": "CVE-2026-24322", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T17:00:38.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24322", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T17:00:20.371145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T17:00:33.348Z"}}], "cna": {"title": "Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Solution Tools Plug-In (ST-PI)", "versions": [{"status": "affected", "version": "ST-PI 2008_1_700"}, {"status": "affected", "version": "2008_1_710"}, {"status": "affected", "version": "740"}, {"status": "affected", "version": "758"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3705882"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.", "supportingMedia": [{"type": "text/html", "value": "<p>SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:04:01.992Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24322", "state": "PUBLISHED", "dateUpdated": "2026-02-10T17:00:38.519Z", "dateReserved": "2026-01-21T22:15:36.672Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-02-10T03:04:01.992Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:740:*:*:*:*:*:*:*", "matchCriteriaId": "3E087FCF-62FE-48A7-80B1-1BEDEA5716D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:758:*:*:*:*:*:*:*", "matchCriteriaId": "F9C9CBFC-453A-4B9E-87B6-466369CE6AD6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:2008_1_700:*:*:*:*:*:*:*", "matchCriteriaId": "2DC728B3-F77B-45E8-B7EC-9C78B41FA1E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:*:*:*:*:*:*:*", "matchCriteriaId": "4836C482-5A64-4373-BCB4-0185BDF83EAD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability."}, {"lang": "es", "value": "SAP Solution Tools Plug-In (ST-PI) contiene un m\u00f3dulo de funci\u00f3n que no realiza las comprobaciones de autorizaci\u00f3n necesarias para usuarios autenticados, permitiendo que se divulgue informaci\u00f3n sensible. Esta vulnerabilidad tiene un alto impacto en la confidencialidad y no afecta a la integridad ni a la disponibilidad."}], "id": "CVE-2026-24322", "lastModified": "2026-02-17T15:23:50.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-02-10T04:16:04.307", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3705882"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "ST-PI 2008_1_700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2008_1_710"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "740"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "758"}}], "product": "sap_solution_tools_plug-in_(st-pi)", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-17T20:56:08.794831+00:00", "value": {"mitigation_remediation": ["Apply SAP Note\u00a03705882 to update ST\u2011PI and integrate the missing authorization checks.", "Disable or block the vulnerable function module until the patch is in place, for example by removing the user authorization key or excluding the module from active workflows.", "Review and tighten role and authorization definitions so that only necessary users can invoke the plug\u2011in, limiting potential exposure."], "summary": {"action": "Apply Patch", "impact": "Confidentiality Breach"}, "threat_synthesis": {"affected_systems": "Affected products include SAP Solution Tools Plug\u2011In (ST\u2011PI) versions 2008_1_700, 2008_1_710, 740, and 758. These releases are distributed by SAP and are identified by the corresponding CPE strings listed in the vulnerability record.", "description_and_impact": "The vulnerability arises from a function module that fails to perform correct authorization checks after a user authenticates. Because the module grants access to sensitive data, an attacker can extract confidential information without compromising integrity or availability. This flaw is categorized as CWE\u2011862 and delivers a high confidentiality impact.", "risk_and_exploitability": "The CVSS score of 7.7 indicates significant risk. The EPSS score of less than 1\u202f% suggests low current exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack path requires an authenticated session; once logged in, an attacker can invoke the exposed function module to read sensitive data. No additional prerequisites are described, so the flaw is potentially exploitable by any user who can authenticate to the system."}}}}, "created": "2026-02-10T11:34:38.165557+00:00", "updated": "2026-04-17T21:00:12.723618+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$sap_solution_tools_plug-in_(st-pi)"]}