Remote Code Injection Vulnerability in SAP S/4HANA by SAP
CVE-2026-0498

9.1CRITICAL

Key Information:

Vendor: SAP
Status: SAP S/4hana (private Cloud And On-premise)
Vendor: CVE Published:; 13 January 2026

What is CVE-2026-0498?

SAP S/4HANA (both Private Cloud and On-Premise) has a security flaw that allows an attacker with administrative privileges to exploit vulnerabilities in an exposed function module via RFC. This security issue facilitates the injection of arbitrary ABAP code or OS commands into the system, circumventing crucial authorization protocols. As a result, this vulnerability can serve as a backdoor for malicious actors, significantly undermining the system's confidentiality, integrity, and availability.

Affected Version(s)

SAP S/4HANA (Private Cloud and On-Premise) S4CORE 102

SAP S/4HANA (Private Cloud and On-Premise) 103

SAP S/4HANA (Private Cloud and On-Premise) 104

References

https://me.sap.com/notes/3694242

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Dec 9, 2025

CVE-2026-0498 Data

JSON