SB2026011347 - Multiple vulnerabilities in SAP Fiori App Intercompany Balance Reconciliation

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2026-0493)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

2) Input validation error (CVE-ID: CVE-2026-0495)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to an unspecified issue. A remote authenticated user can compromise the affected system.

3) Input validation error (CVE-ID: CVE-2026-0496)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to an unspecified issue. A remote authenticated user can compromise the affected system.

4) Input validation error (CVE-ID: CVE-2026-0511)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to an unspecified issue. A remote authenticated user can compromise the affected system.

5) Information disclosure (CVE-ID: CVE-2026-0494)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html
• https://me.sap.com/notes/3655229
• https://me.sap.com/notes/3565506
• https://me.sap.com/notes/3655227