Authorization Bypass in SAP S/4HANA OData Service for Manage Reference Structures
CVE-2026-27679

6.5MEDIUM

Key Information:

Vendor: SAP
Status: SAP S/4hana Frontend Odata Service (manage Reference Structures)
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-27679?

An authorization bypass vulnerability exists in the SAP S/4HANA frontend OData Service related to Managing Reference Structures. Exploitation of this flaw allows unauthorized attackers to update and delete child entities through exposed OData services, resulting in potential integrity issues. This vulnerability underscores the critical need for robust authorization mechanisms to safeguard sensitive data transactions within the application.

Affected Version(s)

SAP S/4HANA Frontend OData Service (Manage Reference Structures) UIS4H 109

References

https://me.sap.com/notes/3716767

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27679 Data

JSON