SAP ICM Remote Function Exec Bypass Auth - Low Integrity
CVE-2026-40134 Published on May 12, 2026
Missing Authorization Check in SAP Incentive and Commission Management
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
Vulnerability Analysis
CVE-2026-40134 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-40134 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
SAP_SE SAP Incentive and Commission Management:- Version SAP_APPL 618 is affected.
- Version S4CORE 102 is affected.
- Version 103 is affected.
- Version 104 is affected.
- Version 105 is affected.
- Version 106 is affected.
- Version 107 is affected.
- Version 108 is affected.
- Version 109 is affected.
- Version EA-APPL 600 is affected.
- Version 604 is affected.
- Version 605 is affected.
- Version 606 is affected.
- Version 617 is affected.