CVE-2026-0506 HIGH

CVE-2026-0506: Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

Vendor Sap_Se
Product SAP NetWeaver Application Server ABAP and ABAP Platform
Weakness CWE-862 · Missing authorization
Published January 13, 2026
Last update January 13, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
January 13, 2026 Record updated