CVE-2025-26660

SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application, enabling them to potentially modify data. Confidentiality and Availability are not impacted.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3557655
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Las aplicaciones SAP Fiori que utilizan la librería de publicación no configuran correctamente los parámetros de seguridad durante el proceso de configuración, por lo que los dejan en los valores predeterminados o definidos de forma inadecuada. Esta vulnerabilidad permite que un atacante con pocos privilegios eluda los controles de acceso dentro de la aplicación, lo que le permite modificar potencialmente los datos. La confidencialidad y la disponibilidad no se ven afectadas.

11 Mar 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-11 01:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-26660

Mitre link : CVE-2025-26660

CVE.ORG link : CVE-2025-26660

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

4.3 /10