Missing Authorization Check in SAP ERP Central Component and SAP S/4HANA
CVE-2026-0503

6.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Erp Central Component And SAP S/4hana (SAP Ehs Management)
Vendor: CVE Published:; 13 January 2026

What is CVE-2026-0503?

A vulnerability in the SAP ERP Central Component and SAP S/4HANA occurs due to a lack of proper authorization checks. Attackers can exploit this flaw to extract hardcoded clear-text credentials and circumvent password authentication checks by manipulating user parameters. Successful exploitation allows unauthorized access to EHS objects, enabling modifications or deletions of critical change pointer information. This exploitation can have downstream impacts on connected systems, while posing risks to the confidentiality and integrity of the application.

Affected Version(s)

SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) SAP_APPL 618

SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) S4CORE 102

SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) 103

References

https://me.sap.com/notes/3681523

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Dec 9, 2025

JSON