Authorization Flaw in SAP ERP and S/4HANA Products
CVE-2026-34256

7.1HIGH

Key Information:

Vendor: SAP
Status: SAP Erp And SAP S/4 Hana (private Cloud And On-premise)
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-34256?

An authorization check flaw in SAP ERP and SAP S/4HANA allows authenticated attackers to execute a specific ABAP report, enabling them to overwrite existing eight-character executable ABAP reports without the appropriate permissions. This exploitation could lead to service disruptions if the overwritten reports are executed, potentially impacting availability and limiting the functionality for end-users while leaving confidentiality intact.

Affected Version(s)

SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) SAP_FIN 618

SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 720

SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 730

References

https://me.sap.com/notes/3731908

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34256 Data

JSON