CVE-2026-23681

Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3680416	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:solution_tools_plug-in:740:::::::*
	cpe:2.3:a:sap:solution_tools_plug-in:758:::::::*
	cpe:2.3:a:sap:solution_tools_plug-in:2008_1_700:::::::*
	cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:::::::*

History

No history.

Information

Published : 2026-02-10 04:16

Updated : 2026-02-17 16:04

NVD link : CVE-2026-23681

Mitre link : CVE-2026-23681

CVE.ORG link : CVE-2026-23681

JSON object : View

Products Affected

sap

solution_tools_plug-in

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-23681", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-10T04:16:02.520", "references": [{"url": "https://me.sap.com/notes/3680416", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability."}, {"lang": "es", "value": "Debido a la falta de verificaci\u00f3n de autorizaci\u00f3n en un m\u00f3dulo de funci\u00f3n en el Plug-In de Herramientas de Soporte de SAP, un atacante autenticado podr\u00eda invocar m\u00f3dulos de funci\u00f3n espec\u00edficos para recuperar informaci\u00f3n sobre el sistema y su configuraci\u00f3n. Esta divulgaci\u00f3n de la informaci\u00f3n del sistema podr\u00eda ayudar al atacante a planificar ataques subsiguientes. Esta vulnerabilidad tiene un bajo impacto en la confidencialidad de la aplicaci\u00f3n, sin efecto en su integridad o disponibilidad."}], "lastModified": "2026-02-17T16:04:47.287", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:740:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E087FCF-62FE-48A7-80B1-1BEDEA5716D6"}, {"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:758:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9C9CBFC-453A-4B9E-87B6-466369CE6AD6"}, {"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:2008_1_700:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DC728B3-F77B-45E8-B7EC-9C78B41FA1E6"}, {"criteria": "cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4836C482-5A64-4373-BCB4-0185BDF83EAD"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}