CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26656: Missing Authorization check in S/4HANA (Manage Purchasing Info Records)

4.3 CVSS

Description

OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.

Classification

CVE ID: CVE-2025-26656

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-862: Missing Authorization

Affected Products

Vendor: SAP_SE

Product: S/4HANA (Manage Purchasing Info Records)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 4.43% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26656
https://me.sap.com/notes/3474392
https://url.sap/sapsecuritypatchday

Timeline

2025-03-11 01:40:17 UTC
CVE

Missing Authorization check in S/4HANA (Manage Purchasing Info Records)