CVE-2026-27678

MEDIUM WAF: Low

CVSS 6.5 Published: 2026-04-14

CWE-862

Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.

WAF Coverage Analysis

Missing Authorization Low WAF Coverage

OWASP: A01:2021 Broken Access Control

References

me.sap.com
url.sap

Back to CVE Database