DoS via uncontrolled loop in SAP NetWeaver Remote-Enabled Function
CVE-2026-23689 Published on February 10, 2026
Denial of service (DOS) in SAP Supply Chain Management
Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.
Vulnerability Analysis
CVE-2026-23689 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Unchecked Input for Loop Condition
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Affected Versions
SAP_SE SAP Supply Chain Management:- Version SCMAPO 713 is affected.
- Version 714 is affected.
- Version SCM 700 is affected.
- Version 701 is affected.
- Version 702 is affected.
- Version 712 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.