CVE-2026-44754 MEDIUM

CVE-2026-44754: Missing caller identification check-in for ODP Data Replication APIs

Vendor Sap_Se
Product ODP Data Replication APIs
Weakness CWE-862 · Missing authorization
Published June 9, 2026
Last update June 9, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated