CVE-2025-42936 MEDIUM

CVE-2025-42936: Missing Authorization check in SAP NetWeaver Application Server for ABAP

Vendor Sap_Se
Product SAP NetWeaver Application Server for ABAP
Weakness CWE-266
Published August 12, 2025
Last update February 26, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.

Key dates

02Disclosure timeline

August 12, 2025 CVE published
February 26, 2026 Record updated