How is CVE-2026-44751 exploited?

Network reachability (required): The attacker must reach the AS ABAP service over the network; no local or physical access is required. Authentication (required): A valid low-privilege account on the system is sufficient; no administrative or elevated credentials are needed. Victim interaction (not-required): The attacker acts entirely on their own and does not need any other user to click a link, open a file, or take any action. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or unusual environmental factors are required.

What is the impact of CVE-2026-44751?

Attacker overwrites report data or configuration objects owned by other users, corrupting their work or security-relevant settings. By substituting data under another user's identity, the attacker can escalate effective privileges within the ABAP application layer. Execution of the unauthorized report generation command can cause minor service degradation or partial unavailability of affected report resources.

Back to search

HIGHCVE-2026-44751Published 2026-06-09Modified 2026-06-10CNA sap

CVE-2026-44751: Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform

Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker to invoke a report generation command without the required permissions. The vulnerability is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation lets the attacker overwrite data belonging to other users, constituting a privilege escalation with high impact on integrity and low impact on availability. No fix version has been published by SAP; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle SAP NetWeaver AS ABAP components at affected SAP_BASIS versions. Any image carrying an affected SAP_BASIS release (700, 701, 702, or 731) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and applies per-environment compliance policy weighting to surface it in the appropriate team inbox inside each customer organization. Triage context includes the affected component, impacted SAP_BASIS versions, and a clear statement that no upstream patch is currently available.

Available

Patch

Because no fix version has been published by SAP, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment SAP releases an upstream fix. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix is ingested.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the AS ABAP service over the network; no local or physical access is required.
AuthenticationRequired
A valid low-privilege account on the system is sufficient; no administrative or elevated credentials are needed.
Victim interactionNot required
The attacker acts entirely on their own and does not need any other user to click a link, open a file, or take any action.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or unusual environmental factors are required.

Blast Radius

Attacker overwrites report data or configuration objects owned by other users, corrupting their work or security-relevant settings.
By substituting data under another user's identity, the attacker can escalate effective privileges within the ABAP application layer.
Execution of the unauthorized report generation command can cause minor service degradation or partial unavailability of affected report resources.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is live and will flag any image carrying an affected SAP_BASIS version (700, 701, 702, or 731) against every scan run in customer pipelines and registries. Because SAP has not yet published a fix, HarborGuard monitors the advisory on each ingest cycle and will trigger the rebuild-and-PR flow automatically for customers with auto-remediation enabled the moment an upstream patch is released. In the interim, compensating controls worth considering include restricting network-policy access to the AS ABAP service to known, trusted source CIDRs only; applying SAP authorization object checks (S_TCODE, S_PROGRAM) at the profile level to limit report execution to explicitly permissioned roles; and enabling egress filtering on containers running the ABAP stack to reduce lateral movement surface. HarborGuard will surface any new SAP advisory that supersedes or supplements this CVE as part of normal feed ingestion.

See how HarborGuard automates this

Affected packages

SAP_SE / SAP NetWeaver AS ABAP and ABAP Platform
SAP_BASIS 700 · SAP_BASIS 701 · SAP_BASIS 702 · SAP_BASIS 731 · SAP_BASIS 740 · SAP_BASIS 750

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

References

Metrics

Get notified