Insecure Session Management in SAP BO BI Platform Reuses Tokens
CVE-2026-24318 Published on April 14, 2026

Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform
Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victims session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victims authenticated context. This could allow the attacker to access or modify information within the victims session scope, impacting confidentiality and integrity, while availability remains unaffected.

NVD

Vulnerability Analysis

CVE-2026-24318 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Use of Persistent Cookies Containing Sensitive Information

The web application uses persistent cookies, but the cookies contain sensitive information. Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies just live in the browser's memory and are not stored anywhere, but persistent cookies are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.

Products Associated with CVE-2026-24318

Want to know whenever a new CVE is published for SAP Businessobjects Business Intelligence Platform? stack.watch will email you.

SAP Businessobjects Business Intelligence Platform

Affected Versions

SAP_SE SAP BusinessObjects Business Intelligence Platform:

Version ENTERPRISE 430 is affected.
Version 2025 is affected.
Version 2027 is affected.

Exploit Probability

EPSS

0.03%

Percentile

9.77%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.