SB2026031033 - Multiple vulnerabilities in SAP NetWeaver AS ABAP

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Missing authorization (CVE-ID: CVE-2026-24310)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to missing authorization checks. A remote user can gain access to sensitive information. 

2) Missing authorization (CVE-ID: CVE-2026-27688)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to missing authorization checks. A remote user can gain unauthorized access to sensitive information. 

3) Missing authorization (CVE-ID: CVE-2026-24309)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to missing authorization checks. A remote authenticated user can gain unauthorized access to the application. 

4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-24316)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Remediation

Install update from vendor's website.

References

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2026.html
• https://me.sap.com/notes/3694383
• https://me.sap.com/notes/3704740
• https://me.sap.com/notes/3703856
• https://me.sap.com/notes/3689080