CVE-2026-40132 MEDIUM

CVE-2026-40132: Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)

Vendor Sap_Se
Product SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)
Weakness CWE-862 · Missing authorization
Published May 12, 2026
Last update May 12, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the application�s availability.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated

Related vulnerabilities

04Related CVE