Missing Authorization Check in SAP Business Warehouse
CVE-2026-27686

5.9MEDIUM

Key Information:

Vendor: SAP
Status: SAP Business Warehouse (service Api)
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-27686?

A missing authorization check in the Service API of SAP Business Warehouse allows authenticated attackers to execute unauthorized actions through affected RFC function modules. This vulnerability can lead to unauthorized configuration modifications and control changes, which may disrupt request processing and cause denial of service. While the impact on confidentiality is unaffected, the integrity remains low and availability can be significantly compromised, affecting the overall system functionality.

Affected Version(s)

SAP Business Warehouse (Service API) DW4CORE 200

SAP Business Warehouse (Service API) 300

SAP Business Warehouse (Service API) 400

References

https://me.sap.com/notes/3703385

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27686 Data

JSON