Zero Day MonitorZDM

← Back to list

7.1

CVE-2026-34256

sap · sap erp and sap s/4 hana (private cloud and on-premise)

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Description

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

Affected Products

Vendor	Product	Versions
sap	sap erp and sap s/4 hana (private cloud and on-premise)	SAP_FIN 618, 720, 730, EA-FIN 617, 700, SAPSCORE 135, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606

References

Related News (2 articles)

Tier D

SecurityWeek10h ago

SAP Patches Critical ABAP Vulnerability

→ No new info (linked only)

Tier C

VulDB16h ago

CVE-2026-34256 | SAP ERP/S4 HANA up to SAP_FIN 618 authorization

→ No new info (linked only)

CVSS 3.17.1 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-862

PublishedApr 14, 2026

Last enriched15h agov2

Tags

CVE-2026-34256

Trending Score37

Source articles2

Independent2

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-27681EXP

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

MEDIUMCVE-2026-27674EXP

Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

MEDIUMCVE-2026-27683EXP

Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

LOWCVE-2026-27675EXP

Code Injection vulnerability in SAP Landscape Transformation

MEDIUMCVE-2026-24318

Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: cvssEstimate, tags

Apr 14, 2026

Version History

v2

Last enriched 15h ago

v2Tier C15h ago

Updated exploit availability to false, actively exploited status to false, and added CVE-2026-34256 as a new tag.

cvssEstimatetags

via VulDB

v120h ago

Initial creation