{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27677", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:10.513Z", "datePublished": "2026-04-14T00:07:22.753Z", "dateUpdated": "2026-04-14T13:14:18.498Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:22.753Z"}, "title": "Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA OData Service (Manage Reference Equipment)", "versions": [{"status": "affected", "version": "S4CORE 109"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3715097"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27677", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:55:01.303887Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:18.498Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27677", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:55:01.303887Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:14.590Z"}}], "cna": {"title": "Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA OData Service (Manage Reference Equipment)", "versions": [{"status": "affected", "version": "S4CORE 109"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3715097"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:22.753Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27677", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:18.498Z", "dateReserved": "2026-02-23T17:50:10.513Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:07:22.753Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted."}], "id": "CVE-2026-27677", "lastModified": "2026-04-17T15:18:16.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:06.130", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3715097"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 109"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP S/4HANA OData Service (Manage Reference Equipment)", "source": "cna", "vendor": "SAP_SE"}, "product": "s/4hana", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T01:50:48.795694+00:00", "value": {"mitigation_remediation": ["Review SAP security note 3715097 for the latest patch recommendation for the OData Service.", "Apply the patch that resolves the missing authorization check in the reference equipment service.", "Audit role and permission assignments for OData services to ensure only authorized users can modify child entities.", "If a patch is not yet available, restrict or disable external access to the reference equipment OData endpoint.", "Implement monitoring to detect unauthorized update or delete actions on OData services and investigate anomalies."], "summary": {"action": "Patch", "impact": "Unauthorized data modification compromising integrity"}, "threat_synthesis": {"affected_systems": "The flaw affects SAP S/4HANA installations that expose the OData Service for managing reference equipment. The advisory does not list specific version numbers, so any instance containing this service should be examined for the missing check. The affected component is part of the standard SAP Enterprise Resource Planning suite.", "description_and_impact": "A missing authorization check within the SAP S/4HANA OData Service that manages reference equipment allows an attacker who can reach the service to update or delete child entities without proper approval. This directly undermines the integrity of operational data, potentially leading to incorrect asset records or configuration information. The vulnerability does not expose sensitive information and does not disrupt service availability.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate severity with high impact on data integrity. The EPSS score is not available, and there is no record of exploitation in publicly known campaigns. The likely attack vector is remote via the exposed OData endpoint over the network, and the attacker needs to send crafted requests that bypass authorization. Because the check is omitted, the attack can be automated once access to the endpoint is achieved, presenting a substantial risk to the underlying data."}}}}, "created": "2026-04-14T16:16:28.873942+00:00", "updated": "2026-04-14T16:31:25.454203+00:00", "vendors": ["sap", "sap$PRODUCT$s/4hana"]}