Insufficient Authorization in SAP Business Planning and Consolidation Vulnerability
CVE-2026-27681

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP Business Planning And Consolidation And SAP Business Warehouse
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-27681?

A vulnerability exists in SAP Business Planning and Consolidation and SAP Business Warehouse due to insufficient checks on user authorization. An authenticated user may take advantage of this flaw to execute crafted SQL statements. This could allow them to read, modify, or delete sensitive data in the database, potentially compromising the confidentiality, integrity, and availability of data within the system.

Affected Version(s)

SAP Business Planning and Consolidation and SAP Business Warehouse HANABPC 810

SAP Business Planning and Consolidation and SAP Business Warehouse BPC4HANA 300

SAP Business Planning and Consolidation and SAP Business Warehouse SAP_BW 750

References

https://me.sap.com/notes/3719353

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27681 Data

JSON