CVE-2025-26656 MEDIUM

CVE-2025-26656: Missing Authorization check in S/4HANA (Manage Purchasing Info Records)

Vendor Sap_Se
Product S/4HANA (Manage Purchasing Info Records)
Weakness CWE-862 · Missing authorization
Published March 11, 2025
Last update March 11, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.

Key dates

02Disclosure timeline

March 11, 2025 CVE published
March 11, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-6708 HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter CVE-2025-14170 Vimeo SimpleGallery <= 0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification CVE-2024-35721 WordPress Image Gallery plugin <= 1.4.5 - Broken Access Control vulnerability CVE-2025-13354 Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation CVE-2025-31773 WordPress Ship Per Product plugin <= 2.1.0 - Broken Access Control vulnerability