{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27672", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:10.512Z", "datePublished": "2026-04-14T00:06:27.780Z", "dateUpdated": "2026-04-14T13:14:19.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:06:27.780Z"}, "title": "Missing Authorization check in Material Master Application", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "Material Master Application", "versions": [{"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "SCM_BASIS 700"}, {"status": "affected", "version": "SCM_BASIS 701"}, {"status": "affected", "version": "SCM_BASIS 702"}, {"status": "affected", "version": "SCM_BASIS 712"}, {"status": "affected", "version": "SCM_BASIS 713"}, {"status": "affected", "version": "SCM_BASIS 714"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3703276"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:57:05.976905Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:19.176Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:57:05.976905Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:24.852Z"}}], "cna": {"title": "Missing Authorization check in Material Master Application", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "Material Master Application", "versions": [{"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "SCM_BASIS 700"}, {"status": "affected", "version": "SCM_BASIS 701"}, {"status": "affected", "version": "SCM_BASIS 702"}, {"status": "affected", "version": "SCM_BASIS 712"}, {"status": "affected", "version": "SCM_BASIS 713"}, {"status": "affected", "version": "SCM_BASIS 714"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3703276"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.", "supportingMedia": [{"type": "text/html", "value": "<p>The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:06:27.780Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27672", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:19.176Z", "dateReserved": "2026-02-23T17:50:10.512Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:06:27.780Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system."}], "id": "CVE-2026-27672", "lastModified": "2026-04-17T15:18:16.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:05.297", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3703276"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "103"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "104"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "105"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "106"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "107"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "109"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM_BASIS 700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM_BASIS 701"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM_BASIS 702"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM_BASIS 712"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM_BASIS 713"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM_BASIS 714"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Material Master Application", "source": "cna", "vendor": "SAP_SE"}, "product": "material_master_application", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T01:51:54.193930+00:00", "value": {"mitigation_remediation": ["Apply the SAP security patch referenced in SAP note 3703276.", "Verify that all report executions enforce the required authorization checks.", "Restrict report\u2011execution permissions to the minimal set of users necessary.", "Monitor system logs for anomalous report\u2011generation activity."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Disclosure"}, "threat_synthesis": {"affected_systems": "SAP SE Material Master Application is the affected product. Version information is not specified in the provided data, meaning all deployments may be vulnerable until a patch is released and applied.", "description_and_impact": "The Material Master application does not enforce authorization checks for authenticated users when executing reports, exposing sensitive information. This missing access control flaw is classified as CWE\u2011862. The impact is limited to a low confidentiality loss; there is no reported effect on integrity or availability, but the disclosed data could still be valuable to an attacker.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low severity, and there is no EPSS data available to gauge exploitation probability. The CVE is not listed in the CISA KEV catalog, suggesting it is not widely exploited. The likely attack vector is an authenticated user triggering report generation, so threat actors would need valid credentials or stolen credentials to benefit. Because the vulnerability only discloses confidential data, the overall risk is moderate, but the issue should be addressed promptly."}}}}, "created": "2026-04-14T16:16:34.380322+00:00", "updated": "2026-04-14T16:31:31.158737+00:00", "vendors": ["sap", "sap$PRODUCT$material_master_application"]}