CVE-2026-0509

CRITICAL WAF: Low
CVSS 9.6 Published: 2026-02-10
CWE-862

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

WAF Coverage Analysis

Missing Authorization Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Affected Software

VendorProductVersion
sapnetweaver_as_abap_kernel7.22
sapnetweaver_as_abap_kernel7.53
sapnetweaver_as_abap_kernel7.54
sapnetweaver_as_abap_kernel7.77
sapnetweaver_as_abap_kernel7.89
sapnetweaver_as_abap_kernel7.93
sapnetweaver_as_abap_kernel9.16
sapnetweaver_as_abap_kernel9.18
sapnetweaver_as_abap_kernel9.19
sapnetweaver_as_abap_krnl64nuc7.22

References

Back to CVE Database