Missing Authorization check in SAP NetWeaver Application Server ABAP and...

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

AI Analysis

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, allowing low-privileged users to perform background Remote Function Calls without required authorization.

Basic Information

ID CVE-2026-0509

Source sap

Published Feb 10, 2026 at 03:01

Affected Product

Vendor SAP_SE

Product SAP NetWeaver Application Server ABAP and ABAP Platform

Version KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.53, KERNEL 7.22, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19

Affected Versions SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform KRNL64NUC 7.22
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.22EXT
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform KRNL64UC 7.22
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.53
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform KERNEL 7.22
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.54
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.77
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.89
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.93
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 9.16
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 9.18
SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 9.19

CWE Classification

CWE-862

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor SAP

Product SAP NetWeaver Application Server ABAP and ABAP Platform

Version 7.22, 7.22EXT, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19

References

{
    "lastseen": "",
    "description": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.",
    "published": "2026-02-10T03:01:52.913Z",
    "modified": "2026-02-10T03:01:52.913Z",
    "type": "cve",
    "title": "Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform",
    "source": "sap",
    "references": "https://me.sap.com/notes/3674774\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-0509",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform KRNL64NUC 7.22\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.22EXT\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform KRNL64UC 7.22\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.53\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform KERNEL 7.22\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.54\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.77\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.89\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 7.93\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 9.16\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 9.18\nSAP_SE SAP NetWeaver Application Server ABAP and ABAP Platform 9.19",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP NetWeaver Application Server ABAP and ABAP Platform",
    "version": "KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.53, KERNEL 7.22, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19",
    "vendor": "SAP_SE",
    "ai_description": "Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, allowing low-privileged users to perform background Remote Function Calls without required authorization.",
    "ai_severity": "Critical",
    "ai_vendor": "SAP",
    "ai_product": "SAP NetWeaver Application Server ABAP and ABAP Platform",
    "ai_version": "7.22, 7.22EXT, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19",
    "ai_score": 9.6
}

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform_CVE-2026-0509