CVE-2026-27688
5.0 MEDIUMDue to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could r...
Published: 2026-03-10 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 5.0 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
- CWE
- CWE-862
Affected products
| Vendor | Product |
|---|---|
| sap | netweaver_application_server_abap |
Description
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-27688
- [Other]https://me.sap.com/notes/3704740
- [Vendor advisory]https://url.sap/sapsecuritypatchday
Related CVEs
Same vendor
- CVE-2026-27680 — Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascad... (3.1 LOW)
- CVE-2026-40135 — An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authentica... (6.5 MEDIUM)
- CVE-2026-27682 — Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Serv... (4.7 MEDIUM)
- CVE-2026-34257 — Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL tha... (6.1 MEDIUM)
- CVE-2026-27674 — Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could suppl... (6.1 MEDIUM)
Same CWE
- CVE-2026-46645 — SQLAdmin is a flexible Admin interface for SQLAlchemy models (4.3 MEDIUM)
- CVE-2026-53634 — Sharp is a content management framework built for Laravel as a package (4.3 MEDIUM)
- CVE-2026-0272 — A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Comm...
- CVE-2026-49822 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
- CVE-2026-49821 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)