CVE-2026-0504

Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3657998
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Debido a un manejo insuficiente de entrada, la interfaz REST de SAP Identity Management permite a un administrador autenticado enviar solicitudes REST maliciosas especialmente diseñadas que son procesadas por operaciones JNDI sin una neutralización de entrada adecuada. Esto puede llevar a una divulgación limitada o modificación de datos, resultando en un bajo impacto en la confidencialidad y la integridad, sin impacto en la disponibilidad de la aplicación.

13 Jan 2026, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-13 02:15

Updated : 2026-04-15 00:35

NVD link : CVE-2026-0504

Mitre link : CVE-2026-0504

CVE.ORG link : CVE-2026-0504

JSON object : View

Products Affected

No product.

CWE

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

3.8 /10