CVE 9.9 CRITICAL

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse_CVE-2026-27681

April 13, 2026 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

AI Analysis

SQL Injection vulnerability allowing an authenticated user to execute crafted SQL statements and impact the confidentiality, integrity, and availability of the system

Basic Information

ID CVE-2026-27681

Source sap

Published Apr 14, 2026 at 00:08

Affected Product

Vendor SAP_SE

Product SAP Business Planning and Consolidation and SAP Business Warehouse

Version HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816

Affected Versions SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse HANABPC 810
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse BPC4HANA 300
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse SAP_BW 750
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 752
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 753
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 754
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 755
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 756
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 757
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 758
SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 816

CWE Classification

CWE-89

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor SAP

Product SAP Business Planning and Consolidation and SAP Business Warehouse

Version HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816

References

{
    "lastseen": "",
    "description": "Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.",
    "published": "2026-04-14T00:08:05.791Z",
    "modified": "2026-04-14T00:08:05.791Z",
    "type": "cve",
    "title": "SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse",
    "source": "sap",
    "references": "https://me.sap.com/notes/3719353\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-27681",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse HANABPC 810\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse BPC4HANA 300\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse SAP_BW 750\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 752\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 753\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 754\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 755\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 756\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 757\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 758\nSAP_SE SAP Business Planning and Consolidation and SAP Business Warehouse 816",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP Business Planning and Consolidation and SAP Business Warehouse",
    "version": "HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816",
    "vendor": "SAP_SE",
    "ai_description": "SQL Injection vulnerability allowing an authenticated user to execute crafted SQL statements and impact the confidentiality, integrity, and availability of the system",
    "ai_severity": "Critical",
    "ai_vendor": "SAP",
    "ai_product": "SAP Business Planning and Consolidation and SAP Business Warehouse",
    "ai_version": "HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply