Zero Day MonitorZDM

← Back to list

4.2

CVE-2026-24318

sap · sap businessobjects business intelligence platform

Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform

Description

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected.

Affected Products

Vendor	Product	Versions
sap	sap businessobjects business intelligence platform	ENTERPRISE 430, 2025, 2027

References

Related News (2 articles)

Tier B

CCCS Canada4h ago

SAP security advisory – April 2026 monthly rollup (AV26-349)

→ No new info (linked only)

Tier C

VulDB12h ago

CVE-2026-24318 | SAP BusinessObjects Business Intelligence Platform 2025/2027/ENTERPRISE 430 persistent cookies containing sensitive information

→ No new info (linked only)

CVSS 3.14.2 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-539

PublishedApr 14, 2026

Last enriched12h agov2

Trending Score34

Source articles2

Independent2

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-27681EXP

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

MEDIUMCVE-2026-27674EXP

Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

MEDIUMCVE-2026-27683EXP

Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

LOWCVE-2026-27675EXP

Code Injection vulnerability in SAP Landscape Transformation

HIGHCVE-2026-34256

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: description, severity

Apr 14, 2026

Version History

v2

Last enriched 12h ago

v2Tier C12h ago

Updated description with new details about persistent cookies and changed severity to HIGH.

descriptionseverity

via VulDB

v118h ago

Initial creation