SAP ODP-RFC API - Caller Identification Missing Opens Data Disclosure
CVE-2026-44754 Published on June 9, 2026
Missing caller identification check-in for ODP Data Replication APIs
The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.
Vulnerability Analysis
CVE-2026-44754 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a small impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-44754 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
SAP_SE ODP Data Replication APIs:- Version DW4CORE 200 is affected.
- Version 300 is affected.
- Version 400 is affected.
- Version PI_BASIS 2006_1_700 is affected.
- Version 701 is affected.
- Version 702 is affected.
- Version 731 is affected.
- Version 740 is affected.
- Version SAP_BW 750 is affected.
- Version 816 is affected.