{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27679", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:10.513Z", "datePublished": "2026-04-14T00:07:44.698Z", "dateUpdated": "2026-04-14T13:14:18.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:44.698Z"}, "title": "Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA Frontend OData Service (Manage Reference Structures)", "versions": [{"status": "affected", "version": "UIS4H 109"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3716767"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:54:36.424036Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:18.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:54:36.424036Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:10.501Z"}}], "cna": {"title": "Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA Frontend OData Service (Manage Reference Structures)", "versions": [{"status": "affected", "version": "UIS4H 109"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3716767"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:44.698Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27679", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:18.168Z", "dateReserved": "2026-02-23T17:50:10.513Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:07:44.698Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:manage_reference_structures:uis4h_109:*:*:*:*:*:*:*", "matchCriteriaId": "AFB5A6C3-F943-49C4-BA93-DC4E74B5E8FA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:sap:s\\/4hana:-:*:*:*:*:*:*:*", "matchCriteriaId": "61225714-D573-435F-9423-7AE6A8ED59BC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted."}], "id": "CVE-2026-27679", "lastModified": "2026-05-04T14:58:27.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:06.413", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3716767"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "UIS4H 109"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP S/4HANA Frontend OData Service (Manage Reference Structures)", "source": "cna", "vendor": "SAP_SE"}, "product": "s/4hana", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T01:21:45.251163+00:00", "value": {"mitigation_remediation": ["Apply the SAP security patch that restores authorization checks for the Manage Reference Structures OData service.", "If patching is delayed, limit outbound or inbound network access to the OData endpoints through firewalls or VPNs to prevent unauthorized users from reaching the service.", "After applying the patch, verify that unauthorized update and delete operations are blocked by testing with a non\u2011privileged user account.", "Regularly monitor SAP security advisories and the SAP support portal for additional patches or configuration recommendations."], "summary": {"action": "Patch", "impact": "Integrity (unauthorized update/delete of child entities)"}, "threat_synthesis": {"affected_systems": "The affected system is SAP S/4HANA Frontend OData Service (Manage Reference Structures) from SAP. Specific versions are not listed in the advisory, so all installations of this service are potentially vulnerable until a patch is applied.", "description_and_impact": "A missing authorization check in the SAP S/4HANA frontend OData Service for managing reference structures allows an attacker to update and delete child entities without proper permissions. This vulnerability primarily compromises the integrity of the system, as unauthorized modifications can alter critical data while leaving confidentiality and availability intact.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating a moderate severity and a medium risk to the affected organization. Exploit probability is not quantified in the EPSS data, and the vulnerability is not currently included in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is network-based, allowing remote exploitation via exposed OData endpoints."}}}}, "created": "2026-04-14T16:16:26.723397+00:00", "updated": "2026-04-14T16:31:23.273859+00:00", "vendors": ["sap", "sap$PRODUCT$s/4hana"]}