SAP ERP/S4HANA ABAP Report Overwrite via Missing Auth Check
CVE-2026-34256 Published on April 14, 2026

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)
Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

NVD

Vulnerability Analysis

CVE-2026-34256 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
HIGH

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-34256 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-34256

Want to know whenever a new CVE is published for SAP S4hana? stack.watch will email you.

SAP S4hana
 

Affected Versions

SAP_SE SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise):

Exploit Probability

EPSS
0.04%
Percentile
10.73%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.