SAP Enterprise Search ABAP SQL Injection
CVE-2026-34260 Published on May 12, 2026

SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

NVD

Vulnerability Analysis

CVE-2026-34260 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-34260 has been classified to as a SQL Injection vulnerability or weakness.


Products Associated with CVE-2026-34260

Want to know whenever a new CVE is published for SAP S4hana? stack.watch will email you.

SAP S4hana
 

Affected Versions

SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP):