{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27689", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:17.028Z", "datePublished": "2026-03-10T00:19:05.551Z", "dateUpdated": "2026-03-10T16:52:30.031Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-03-10T00:19:05.551Z"}, "title": "Denial of service (DOS) in SAP Supply Chain Management", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-606", "description": "CWE-606: Unchecked Input for Loop Condition", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Supply Chain Management", "versions": [{"status": "affected", "version": "SCMAPO 713"}, {"status": "affected", "version": "714"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "S4COREOP 105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "SCM 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "712"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3719502"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:35:53.163951Z", "id": "CVE-2026-27689", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:52:30.031Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27689", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:35:53.163951Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:35:54.216Z"}}], "cna": {"title": "Denial of service (DOS) in SAP Supply Chain Management", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Supply Chain Management", "versions": [{"status": "affected", "version": "SCMAPO 713"}, {"status": "affected", "version": "714"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "S4COREOP 105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "SCM 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "712"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3719502"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-606", "description": "CWE-606: Unchecked Input for Loop Condition"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-03-10T00:19:05.551Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27689", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:52:30.031Z", "dateReserved": "2026-02-23T17:50:17.028Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-03-10T00:19:05.551Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected."}], "id": "CVE-2026-27689", "lastModified": "2026-03-11T13:53:47.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-03-10T17:38:11.683", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3719502"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-606"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCMAPO 713"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "714"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "103"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "104"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4COREOP 105"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "106"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "107"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "109"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SCM 700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "701"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "702"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "712"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "SAP Supply Chain Management", "source": "cna", "vendor": "SAP_SE"}, "product": "supply_chain_management", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-16T09:53:44.559611+00:00", "value": {"mitigation_remediation": ["Apply the latest security patch or update to SAP Supply Chain Management as recommended in SAP Note 3719502.", "Restrict or disable remote access to the affected function module and enforce input validation to reject large loop-control values.", "Implement system resource limits or a watchdog that detects unusually long-running processes and terminates them to mitigate the impact of an attempted exploitation."], "summary": {"action": "Apply Patch", "impact": "Denial of Service during resource exhaustion"}, "threat_synthesis": {"affected_systems": "SAP Supply Chain Management products disclosed under SAP_SE. No specific version details are provided, so any instance of the application that implements the vulnerable function module and is reachable over the network may be impacted.", "description_and_impact": "An authenticated attacker with regular user rights and network access can repeatedly call a remote-enabled function module in SAP Supply Chain Management, supplying an excessively large loop-control parameter that forces the function to execute a long loop and consume excessive CPU and memory resources. The attack does not affect confidentiality or integrity, but it can render the application or the host machine unavailable until the system recovers or is restarted.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.7, classifying it as high severity, yet the EPSS score is less than 1%, indicating a very low probability of exploitation in the wild. The attack requires network connectivity to the SAP application and valid user credentials but does not require elevated privileges. Because the exploit path is a remote function call with a controllable parameter, it is inferred that the attack vector is remote over the network. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-03-10T14:06:08.669370+00:00", "updated": "2026-04-16T10:00:14.078293+00:00", "vendors": ["sap", "sap$PRODUCT$supply_chain_management"]}