SAP Material Master RBAC Bypass via Report Execution
CVE-2026-27672 Published on April 14, 2026
Missing Authorization check in Material Master Application
The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.
Vulnerability Analysis
CVE-2026-27672 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-27672 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
SAP_SE Material Master Application:- Version S4CORE 102 is affected.
- Version 103 is affected.
- Version 104 is affected.
- Version 105 is affected.
- Version 106 is affected.
- Version 107 is affected.
- Version 108 is affected.
- Version 109 is affected.
- Version SCM_BASIS 700 is affected.
- Version SCM_BASIS 701 is affected.
- Version SCM_BASIS 702 is affected.
- Version SCM_BASIS 712 is affected.
- Version SCM_BASIS 713 is affected.
- Version SCM_BASIS 714 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.