Authorization Flaw in SAP S/4HANA OData Service - SAP
CVE-2026-27677

6.5MEDIUM

Key Information:

Vendor: SAP
Status: SAP S/4hana Odata Service (manage Reference Equipment)
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-27677?

A critical authorization check flaw exists in the SAP S/4HANA OData Service, specifically related to the Manage Reference Equipment component. This vulnerability allows an attacker to perform unauthorized updates and deletions of child entities through OData services. While the integrity of the affected services is compromised, both confidentiality and availability remain unaffected. Organizations utilizing this service should prioritize applying necessary security updates to mitigate potential exploitation.

Affected Version(s)

SAP S/4HANA OData Service (Manage Reference Equipment) S4CORE 109

References

https://me.sap.com/notes/3715097

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27677 Data

JSON