{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27687", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:17.028Z", "datePublished": "2026-03-10T00:18:45.548Z", "dateUpdated": "2026-03-10T16:52:42.319Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-03-10T00:18:45.548Z"}, "title": "Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal", "versions": [{"status": "affected", "version": "S4HCMCPT 100"}, {"status": "affected", "version": "101"}, {"status": "affected", "version": "102"}, {"status": "affected", "version": "SAP_HRCPT 600"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "608"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3701020"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:35:57.477007Z", "id": "CVE-2026-27687", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:52:42.319Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:35:57.477007Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:35:58.499Z"}}], "cna": {"title": "Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal", "versions": [{"status": "affected", "version": "S4HCMCPT 100"}, {"status": "affected", "version": "101"}, {"status": "affected", "version": "102"}, {"status": "affected", "version": "SAP_HRCPT 600"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "608"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3701020"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-03-10T00:18:45.548Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27687", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:52:42.319Z", "dateReserved": "2026-02-23T17:50:17.028Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-03-10T00:18:45.548Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability."}], "id": "CVE-2026-27687", "lastModified": "2026-03-11T13:53:47.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.0, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-03-10T17:38:11.330", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3701020"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4HCMCPT 100"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "101"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_HRCPT 600"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "604"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "608"}}], "original": {"product": "SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal", "source": "cna", "vendor": "SAP_SE"}, "product": "sap_erp_hcm_portugal", "vendor": "sap_se"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4HCMCPT 100"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "101"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_HRCPT 600"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "604"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "608"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal", "source": "cna", "vendor": "SAP_SE"}, "product": "sap_s/4hana_hcm_portugal", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-16T09:54:33.261495+00:00", "value": {"mitigation_remediation": ["Apply the SAP security patch or update to a version that contains the fix for the missing authorization check.", "Limit the use of high\u2011privilege accounts and enforce least\u2011privilege access for users who do not need to read cross\u2011company data.", "Implement monitoring and logging of privileged user activity to detect unauthorized data access attempts."], "summary": {"action": "Apply vendor patch", "impact": "Confidentiality breach by unauthorized access to sensitive data"}, "threat_synthesis": {"affected_systems": "Impact is limited to SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, as listed by SAP. No specific version information is provided, so the risk applies to all installations of these products.", "description_and_impact": "A missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal allows a user with high privileges to view sensitive data belonging to another company. The primary weakness is a lack of proper access control (CWE\u2011862). The vulnerability threatens confidentiality only, with no impact on integrity or availability.", "risk_and_exploitability": "The CVSS score of 5.8 denotes a moderate severity. The EPSS value of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. It is likely to be exploited by insiders with elevated privileges who have access to the affected systems."}}}}, "created": "2026-03-10T14:06:10.539167+00:00", "updated": "2026-04-16T10:00:14.088473+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$sap_erp_hcm_portugal", "sap_se$PRODUCT$sap_s/4hana_hcm_portugal"]}