Unauth Resp-Disposition Enum in SAP HANA User Self Service Tools
CVE-2026-44753 Published on July 14, 2026

Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service)
SAP HANA Database (user self service tools) allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application.

NVD

Vulnerability Analysis

CVE-2026-44753 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).


Products Associated with CVE-2026-44753

Want to know whenever a new CVE is published for SAP Hana Extended Application Services? stack.watch will email you.

 

Affected Versions

SAP_SE SAP HANA Extended Application Services classic model (User Self Service) Version HDB 2.00 is affected by CVE-2026-44753