Vulnerability Details CVE-2026-24326
Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.0%
CVSS Severity
CVSS v3 Score 4.3
Products affected by CVE-2026-24326
-
cpe:2.3:a:sap:s/4hana_defense_&_security:600
-
cpe:2.3:a:sap:s/4hana_defense_&_security:603
-
cpe:2.3:a:sap:s/4hana_defense_&_security:604
-
cpe:2.3:a:sap:s/4hana_defense_&_security:605
-
cpe:2.3:a:sap:s/4hana_defense_&_security:606
-
cpe:2.3:a:sap:s/4hana_defense_&_security:616
-
cpe:2.3:a:sap:s/4hana_defense_&_security:617
-
cpe:2.3:a:sap:s/4hana_defense_&_security:618
-
cpe:2.3:a:sap:s/4hana_defense_&_security:619
-
cpe:2.3:a:sap:s/4hana_defense_&_security:800
-
cpe:2.3:a:sap:s/4hana_defense_&_security:801
-
cpe:2.3:a:sap:s/4hana_defense_&_security:802
-
cpe:2.3:a:sap:s/4hana_defense_&_security:803
-
cpe:2.3:a:sap:s/4hana_defense_&_security:804
-
cpe:2.3:a:sap:s/4hana_defense_&_security:805
-
cpe:2.3:a:sap:s/4hana_defense_&_security:806
-
cpe:2.3:a:sap:s/4hana_defense_&_security:807
-
cpe:2.3:a:sap:s/4hana_defense_&_security:808
-
cpe:2.3:a:sap:s/4hana_defense_&_security:809