HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-44748Published Modified CNA sap

CVE-2026-44748: XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

XML Signature Wrapping is a vulnerability in the SAML authentication handling of SAP NetWeaver Application Server ABAP and ABAP Platform. An attacker can reach this vulnerability over the network using any low-privilege account, with no victim interaction required, by capturing a valid signed SAML message and replaying a tampered version that bypasses the XML signature verifier. Successful exploitation allows the attacker to impersonate arbitrary users, read sensitive user data, modify application state, and disrupt normal system availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment SAP publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle affected SAP_BASIS components. Any image carrying an affected SAP_BASIS version (702, 731, 740, or 750) is flagged immediately on scan.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and applies per-environment compliance policy weighting to prioritize alert routing. Triage tickets are delivered to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available
Patch

Because SAP has not yet published a fix version, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SAP NetWeaver AS ABAP service over the network; the vulnerability is exposed on any network-accessible SAML endpoint.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker needs only a normal user session to obtain a valid signed SAML message for manipulation.

  • Victim interactionNot required

    No victim action is needed; the attacker submits the tampered XML document directly to the verifier without involving another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access and a valid session.

Blast Radius

  • The attacker impersonates arbitrary users by injecting tampered identity assertions, gaining access to accounts and resources beyond their own privileges.
  • Sensitive user data stored or accessible through the SAP application, including personal records and business data, is exposed to direct read access.
  • The attacker can modify persisted application data and business records by acting under the identity of impersonated users.
  • The availability of the affected SAP NetWeaver instance can be disrupted, interrupting business-critical processes that depend on the ABAP platform.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published by SAP at this time, HarborGuard continuously re-checks the advisory on every feed ingest cycle and will surface a patched-image rebuild the moment SAP releases a corrective SAP_BASIS patch for versions 702, 731, 740, or 750. In the interim, customers are advised to apply network-policy isolation to restrict SAML endpoint exposure to trusted identity providers only, apply egress filtering to limit lateral movement by any session operating under a stolen identity, and review SAP's published SAML configuration hardening guidance to reduce the attack surface of the XML signature verification path. Where compliance policy permits, customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and a PR opened against affected workloads as soon as an upstream fix is confirmed, with a typical median turnaround of around 90 minutes from patch publication to merged PR for Critical-severity issues.

See how HarborGuard automates this
Affected packages
  • SAP_SE / SAP NetWeaver AS ABAP and ABAP Platform
    SAP_BASIS 702 · SAP_BASIS 731 · SAP_BASIS 740 · SAP_BASIS 750 · SAP_BASIS 751 · SAP_BASIS 752
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References