CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26660: Broken Access Control in SAP Fiori apps (Posting Library)

4.3 CVSS

Description

SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application, enabling them to potentially modify data. Confidentiality and Availability are not impacted.

Classification

CVE ID: CVE-2025-26660

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key

Affected Products

Vendor: SAP_SE

Product: SAP Fiori apps (Posting Library)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 15.36% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26660
https://me.sap.com/notes/3557655
https://url.sap/sapsecuritypatchday

Timeline

2025-03-11 01:40:17 UTC
CVE

Broken Access Control in SAP Fiori apps (Posting Library)