SAP Strategic Enterprise Management SBSP Auth Bypass (CVE-2026-40132)
CVE-2026-40132 Published on May 12, 2026
Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)
Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the applications availability.
Vulnerability Analysis
CVE-2026-40132 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-40132 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
SAP_SE SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard):- Version SEM-BW 605 is affected.
- Version 700 is affected.
- Version 736 is affected.
- Version 746 is affected.
- Version 747 is affected.
- Version 748 is affected.
- Version 749 is affected.
- Version 800 is affected.