CVE-2026-0509

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3674774	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.53:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_kernel:9.19:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22ext:::::::*
	cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.53:::::::*

History

No history.

Information

Published : 2026-02-10 04:16

Updated : 2026-02-17 16:04

NVD link : CVE-2026-0509

Mitre link : CVE-2026-0509

CVE.ORG link : CVE-2026-0509

JSON object : View

Products Affected

sap

netweaver_as_abap_kernel
netweaver_as_abap_krnl64nuc
netweaver_as_abap_krnl64uc

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-0509", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.8, "exploitabilityScore": 3.1}]}, "published": "2026-02-10T04:16:02.357", "references": [{"url": "https://me.sap.com/notes/3674774", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application."}, {"lang": "es", "value": "SAP NetWeaver Servidor de Aplicaciones ABAP y Plataforma ABAP permite a un usuario autenticado y con bajos privilegios realizar llamadas a funciones remotas en segundo plano sin la autorizaci\u00f3n S_RFC requerida en ciertos casos. Esto puede resultar en un alto impacto en la integridad y disponibilidad, y ning\u00fan impacto en la confidencialidad de la aplicaci\u00f3n."}], "lastModified": "2026-02-17T16:04:59.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE603A80-8FF0-4180-9E11-C468AE2441C7"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.53:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7EB97250-22A3-4BA6-8498-59ED0E81E3CC"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F5D31D3-B2B2-4347-B8DF-D06056289598"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50570852-982E-40CA-B391-3FB8B9373F78"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8B74AD9-A83E-45DD-96C2-4F3C8C8C6AE6"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "237DBA4A-B5A9-48C9-B6A3-D293BB66EF69"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3668B2D9-0A4C-43F5-B248-9A6438AF7D71"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BC9779B-7571-44F7-BCCC-6BF2834ED779"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.19:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D243C94B-F182-48A0-9775-4B193B913B8E"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02507EB2-8776-4EA9-9164-B2F6AD911B59"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7867ADA5-47AA-48DD-9CAC-D3ACB5713CB3"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5E3292A-7311-4821-A52E-8FB4A1449D44"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22ext:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "171A52A4-8383-47D9-89D4-FC44CA84DA49"}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.53:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1190FF1-8D50-4424-AE21-6AE562D5C6B1"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}