SB2026041497 - Multiple vulnerabilities in SAP S/4HANA
Published: April 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2026-27676)
The vulnerability allows a remote user to modify data.
The vulnerability exists due to improper access control in SAP S/4HANA OData Service (Manage Technical Object Structures) when handling requests. A remote user can access the OData service without proper authorization checks to modify data.
2) Missing Authorization (CVE-ID: CVE-2026-27673)
The vulnerability allows a remote user to modify data and cause limited service disruption.
The vulnerability exists due to improper access control in SAP S/4HANA (Private Cloud and On-Premise) when handling requests. A remote user can access functionality without proper authorization checks to modify data and cause limited service disruption.
3) Missing Authorization (CVE-ID: CVE-2026-27679)
The vulnerability allows a remote user to modify data.
The vulnerability exists due to improper access control in SAP S/4HANA Frontend OData Service (Manage Reference Structures) when handling requests. A remote user can access the OData service without proper authorization checks to modify data.
4) Missing Authorization (CVE-ID: CVE-2026-27678)
The vulnerability allows a remote user to modify data.
The vulnerability exists due to improper access control in SAP S/4HANA Backend OData Service (Manage Reference Structures) when handling requests. A remote user can access the OData service without proper authorization checks to modify data.
5) Missing Authorization (CVE-ID: CVE-2026-27677)
The vulnerability allows a remote user to modify data.
The vulnerability exists due to improper access control in SAP S/4HANA OData Service (Manage Reference Equipment) when handling requests. A remote user can access the OData service without proper authorization checks to modify data.
Remediation
Install update from vendor's website.