CVE-2026-27678 MEDIUM

CVE-2026-27678: Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures)

Vendor Sap_Se

Product SAP S/4HANA Backend OData Service (Manage Reference Structures)

Weakness CWE-862 · Missing authorization

Published April 14, 2026

Last update April 14, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.

Key dates

02Disclosure timeline

April 14, 2026 CVE published

April 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27678

Related vulnerabilities

04Related CVE

CVE-2025-65036 XWiki Remote Macros vulnerable to remote code execution using the confluence details summary macro CVE-2025-57896 WordPress Church Admin Plugin <= 5.0.26 - Broken Access Control Vulnerability CVE-2025-43008 Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal CVE-2026-25437 WordPress GZSEO plugin <= 2.0.14 - Broken Access Control vulnerability CVE-2025-5288 REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function

Identifiers

CVE CVE-2026-27678

CWE CWE-862

CVSS 6.5 / MEDIUM

Affected versions

Vendor Sap_Se

Product SAP S/4HANA Backend OData Service (Manage Reference Structures)

Affected S4CORE 109