Introduction
A missing authorization check in SAP Application Server ABAP's report generation functionality allows any authenticated user to overwrite executable reports owned by other users, achieving privilege escalation with a CVSS 7.1 rating. For organizations running SAP as the backbone of their financial and operational processes, this vulnerability quietly undermines the integrity of business data without triggering confidentiality alarms, making it particularly insidious to detect through conventional monitoring.
This flaw, tracked as CVE-2026-44751 and disclosed on June 9, 2026, continues a pattern of CWE-862 (Missing Authorization) defects that have appeared in every SAP Security Patch Day cycle throughout 2026. With SAP's products deployed across more than 157 countries and underpinning the operations of most Fortune 500 companies, the potential blast radius is substantial.
Technical Information
Root Cause: Missing AUTHORITY-CHECK in Report Generation
CVE-2026-44751 is classified under CWE-862 (Missing Authorization), a weakness where the application does not perform an authorization check when an actor attempts to access a resource or perform an action. In the SAP ABAP runtime, the AUTHORITY-CHECK statement is the primary mechanism for enforcing role-based access control. Every sensitive operation in ABAP code is expected to include an AUTHORITY-CHECK call that validates the current user's authorization objects before proceeding. When this statement is absent, the entire role-based security model is bypassed for that code path.
The vulnerability exists in the SAP_BASIS layer of the SAP Application Server ABAP, specifically within the report generation functionality. As stated in the CVE record, the application server ABAP "does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges."
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, which breaks down as follows:
| Vector Component | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | Low | Any authenticated user |
| User Interaction (UI) | None | No victim action needed |
| Scope (S) | Unchanged | Impact limited to vulnerable component |
| Confidentiality (C) | None | No data disclosure |
| Integrity (I) | High | Full modification of data |
| Availability (A) | Low | Minor disruption possible |
Attack Flow
The exploitation of CVE-2026-44751 follows a straightforward sequence:
-
Authentication: The attacker authenticates to the SAP system with any valid user account. No administrative or elevated privileges are required; a standard dialog user with minimal role assignments is sufficient.
-
Report generation invocation: The attacker triggers the report generation function within the ABAP application server. This could be done through a transaction, an RFC call, or any interface that reaches the vulnerable code path. Because the code lacks an
AUTHORITY-CHECKstatement, the system does not verify whether the user is authorized to generate that specific report or write to the target output destination. -
Data overwrite: The report generation command writes output to a location or data object belonging to another user. This effectively overwrites the target user's information, which could include executable report variants, saved report outputs, or other user-specific data objects.
-
Privilege escalation: By overwriting another user's report data, the attacker achieves privilege escalation. Depending on the nature of the overwritten data, this could allow the attacker to manipulate business logic, alter financial records, or inject malicious content into reports that other users subsequently execute.
The Integrity-First Impact Profile
A notable characteristic of this vulnerability is its impact profile: high integrity impact with no confidentiality impact. This means an attacker can corrupt or replace business data without the attack being visible to security monitoring tools focused on data exfiltration or unauthorized reads. Traditional SIEM rules that look for unusual data access patterns may not trigger, because the attacker is writing data rather than reading it. Organizations should consider this when designing detection strategies; change document logging and integrity monitoring become the primary detection mechanisms.
ABAP-Specific Context
Within SAP systems, missing authorization checks commonly occur in BAPIs (Business Application Programming Interfaces), RFC-enabled function modules, OData services, and ALV reports. SecurityBridge's analysis of this vulnerability class explains that "a missing SAP authority vulnerability check is a security flaw in which ABAP code fails to validate whether the current user possesses the required authorizations before executing a sensitive function or accessing protected data." The AUTHORITY-CHECK statement is not automatically enforced by the ABAP runtime; developers must explicitly include it in every sensitive code path. This manual enforcement model is the systemic root cause behind the recurring appearance of CWE-862 flaws in SAP products.
A directly comparable vulnerability, CVE-2026-0509, was addressed in the February 2026 SAP Patch Day. That flaw allowed "an authenticated, low-privileged user to perform background Remote Function Calls" without proper authorization checks in SAP NetWeaver Application Server ABAP and ABAP Platform. The pattern is consistent: missing AUTHORITY-CHECK statements in different ABAP code paths, each enabling a different unauthorized action.
Patch Information
SAP has released an official fix via SAP Security Note 3735546, published as part of the June 9, 2026 SAP Security Patch Day cycle. The CVE record on cve.org confirms SAP SE as the CNA and provides the authoritative vulnerability details.
The patch addresses the root cause by introducing the missing authorization checks into the affected report generation code path. This follows a well-established SAP remediation pattern for CWE-862 defects in ABAP. The same approach was used two months earlier in the analogous CVE-2026-34256 (SAP Note 3731908, April 2026 Patch Day), which was also rated CVSS 7.1 and dealt with a missing authorization check in SAP ERP and SAP S/4HANA that allowed overwriting of ABAP reports. In that April case, SecurityBridge confirmed the fix involved patching specific ABAP programs (RGJVCORG and RGJVCORX) to enforce proper authorization validation before report generation operations. SAP Note 3735546 applies the equivalent enforcement at the SAP_BASIS level for the report generation command exploited in CVE-2026-44751.
Affected SAP_BASIS Versions
The vulnerability affects SAP_BASIS across a wide range of versions: 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, and 816.
How to Apply the Patch
The full technical details of SAP Note 3735546, including specific correction instructions, affected kernel patch levels, and support package versions, are available exclusively through the authenticated SAP for Me portal at https://me.sap.com/notes/3735546. Customers should apply the note using transaction SNOTE (SAP Note Assistant) or by importing the relevant support package stack that includes the correction. As is standard for SAP Security Notes with high severity, SAP delivers fixes for support packages shipped within the last 24 months for all versions under mainstream and extended maintenance.
Compensating Controls
While the patch is being applied, the following compensating controls can reduce risk:
- Restrict report generation transactions: Limit access to report generation transactions to only users who genuinely require them. Review authorization objects governing report output destinations.
- Enforce principle of least privilege: Review and tighten role assignments across ABAP user accounts. Ensure low-privileged users cannot access report generation functions they do not need.
- Monitor change logs: Activate and audit SAP change document logging for the affected objects. Since the vulnerability involves overwriting another user's data, change logs can help detect unauthorized modifications.
- Enable SAP Security Audit Log: Use transactions SM19/SM20 to track report generation activities and correlate them with user sessions.
Affected Systems and Versions
The vulnerability affects the SAP Application Server ABAP component at the SAP_BASIS layer. The following specific versions are confirmed affected:
- SAP_BASIS 700
- SAP_BASIS 701
- SAP_BASIS 702
- SAP_BASIS 731
- SAP_BASIS 740
- SAP_BASIS 750
- SAP_BASIS 751
- SAP_BASIS 752
- SAP_BASIS 753
- SAP_BASIS 754
- SAP_BASIS 755
- SAP_BASIS 756
- SAP_BASIS 757
- SAP_BASIS 758
- SAP_BASIS 816
This version range spans from SAP NetWeaver 7.0 through the latest SAP_BASIS releases, meaning virtually all actively maintained SAP ABAP systems are potentially affected. Organizations running any of these SAP_BASIS versions should prioritize applying SAP Security Note 3735546.
Vendor Security History
SAP's 2026 Security Patch Day history reveals a persistent pattern of CWE-862 (Missing Authorization) vulnerabilities in the ABAP platform:
| Month | Total Notes | Notable ABAP Authorization CVEs |
|---|---|---|
| January 2026 | 17 | Multiple authorization flaws, 4 Critical (CVSS 9.1 to 9.9) |
| February 2026 | 26 | CVE-2026-0509: Missing auth check in ABAP RFC |
| March 2026 | 15 | Authorization flaws noted |
| April 2026 | 20 | CVE-2026-34256: Missing auth check in report generation (CVSS 7.1) |
| May 2026 | 15 | Supply chain attack vector, 2 Critical |
| June 2026 | Pending | CVE-2026-44751: Missing auth check in report generation (CVSS 7.1) |
The April 2026 vulnerability CVE-2026-34256 is particularly relevant as a direct predecessor. It shared the same CVSS score (7.1), the same CWE classification (CWE-862), and the same attack pattern (overwriting ABAP reports via missing authorization checks). The fix for that vulnerability involved patching specific ABAP programs to enforce proper authorization validation, and SAP Note 3735546 applies the equivalent enforcement for CVE-2026-44751.
Beyond the CWE-862 pattern, the confirmed wild exploitation of CVE-2025-42957 (CVSS 9.9) in September 2025 demonstrates that SAP ABAP vulnerabilities are not theoretical risks. SecurityWeek reported that this critical SAP S/4HANA code injection flaw "allowing full system takeover has been exploited in the wild." This precedent underscores the importance of treating CVE-2026-44751 as a pre-exploitation window and patching before threat actors develop exploits.
The recurring nature of these authorization bypass flaws suggests a systemic challenge in SAP's ABAP development process, likely related to the manual nature of AUTHORITY-CHECK enforcement and the massive volume of ABAP code across the platform. Organizations should invest in automated ABAP code scanning using SAP Code Inspector (SCI) or ABAP Test Cockpit (ATC) to detect missing AUTHORITY-CHECK statements proactively, rather than relying solely on monthly vendor patches.
References
- NVD: CVE-2026-44751
- CVE Record: CVE-2026-44751
- SAP Security Note 3735546
- SAP Security Notes and News
- SAP Security Patch Day
- SecurityBridge: SAP Security Patch Day April 2026
- SecurityBridge: Missing SAP Authority Vulnerability Check
- CWE-862: Missing Authorization
- CVE Record: CVE-2026-0509
- Pathlock: SAP Patch Day April 2026
- Onapsis: SAP Security Notes April 2026 Patch Day
- SecurityWeek: Recent SAP S/4HANA Vulnerability Exploited in Attacks
- Onapsis: SAP Threat Intelligence Guide 2026
- Layer Seven Security: SAP Security Notes May 2026
- Pathlock: SAP Authorization Buffer Exploits
- SecurityBridge: SAP Security Patch Day February 2026
- Pathlock: SAP Security Patch Tuesday January 2026



