Unauthorized Access Vulnerability in SAP S/4HANA OData Service
CVE-2026-27678

6.5MEDIUM

Key Information:

Vendor: SAP
Status: SAP S/4hana Backend Odata Service (manage Reference Structures)
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-27678?

A vulnerability exists in the SAP S/4HANA backend OData Service (Manage Reference Structures), where insufficient authorization checks allow attackers to update and delete child entities via exposed OData services. This flaw poses a significant risk to data integrity, enabling unauthorized modifications that could lead to compromised data management. The issue does not affect confidentiality or availability, but organizations using SAP S/4HANA should take immediate steps to mitigate this risk.

Affected Version(s)

SAP S/4HANA Backend OData Service (Manage Reference Structures) S4CORE 109

References

https://me.sap.com/notes/3715177

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27678 Data

JSON