HTTP Req Smuggling in SAP Approuter: High-Impact CnC/AV
CVE-2026-27690 Published on July 14, 2026

HTTP Request Smuggling in SAP Approuter
Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to a high impact on confidentiality and availability.

NVD

Vulnerability Analysis

CVE-2026-27690 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2026-27690 has been classified to as a HTTP Request Smuggling vulnerability or weakness.


Affected Versions

SAP_SE SAP Approuter Version SAP Approuter node.js package < 20.10.0 is affected by CVE-2026-27690