{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34261", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-03-26T19:02:45.983Z", "datePublished": "2026-04-14T00:08:51.232Z", "dateUpdated": "2026-04-14T13:14:17.473Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:08:51.232Z"}, "title": "Missing Authorization check in SAP Business Analytics and SAP Content Management", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Business Analytics and SAP Content Management", "versions": [{"status": "affected", "version": "S4HCMRXX 100"}, {"status": "affected", "version": "101"}, {"status": "affected", "version": "102"}, {"status": "affected", "version": "SAP_HRRXX 600"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "608"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3705094"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:53:23.140179Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:17.473Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:53:23.140179Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:08:59.407Z"}}], "cna": {"title": "Missing Authorization check in SAP Business Analytics and SAP Content Management", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Business Analytics and SAP Content Management", "versions": [{"status": "affected", "version": "S4HCMRXX 100"}, {"status": "affected", "version": "101"}, {"status": "affected", "version": "102"}, {"status": "affected", "version": "SAP_HRRXX 600"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "608"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3705094"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:08:51.232Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34261", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:17.473Z", "dateReserved": "2026-03-26T19:02:45.983Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:08:51.232Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability."}], "id": "CVE-2026-34261", "lastModified": "2026-04-17T15:18:16.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T01:16:03.897", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3705094"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4HCMRXX 100"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "101"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_HRRXX 600"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "604"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "608"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP Business Analytics and SAP Content Management", "source": "cna", "vendor": "SAP_SE"}, "product": "business_analytics", "vendor": "sap"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4HCMRXX 100"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "101"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_HRRXX 600"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "604"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "608"}}], "original": {"product": "SAP Business Analytics and SAP Content Management", "source": "cna", "vendor": "SAP_SE"}, "product": "content_management", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T03:23:53.591820+00:00", "value": {"mitigation_remediation": ["Verify your SAP Business Analytics or SAP Content Management version against SAP Note\u00a03705094 to confirm the presence of the vulnerability.", "Apply the security patch released during the SAP Security Patch Day to address the missing authorization check.", "If a patch cannot be applied immediately, strengthen role-based access controls to restrict the use of sensitive function modules.", "Continuously monitor system logs for unexpected remote function calls following remediation or patch deployment."], "summary": {"action": "Apply Patch", "impact": "Confidentiality Breach"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to SAP Business Analytics and SAP Content Management. No specific product versions are listed, so all deployments of these services should validate their build against SAP Note\u00a03705094 to determine exposure.", "description_and_impact": "A missing authorization check in SAP Business Analytics and SAP Content Management allows an authenticated user to invoke remote function modules that the user is not authorized to call. This flaw is a classic example of CWE\u2011862: Authorization Bypass Through User\u2011Controlled Key. The result is that sensitive data may be exposed, thereby compromising confidentiality while leaving integrity and availability unaffected.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity. EPSS information is unavailable and the issue is not listed in the CISA KEV catalog. Exploitation requires a legitimate authenticated session; the attacker must already possess a user account with valid credentials. The lack of an unauthenticated attack surface limits the exploitation likelihood, but the potential for confidential data leakage makes the overall risk moderate to high if left unmitigated."}}}}, "created": "2026-04-14T16:16:20.435525+00:00", "updated": "2026-04-14T16:31:16.960418+00:00", "vendors": ["sap", "sap$PRODUCT$business_analytics", "sap$PRODUCT$content_management"]}