ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-44751 — SAP ABAP Missing Authorization Check Enables Privilege Escalation via Report Generation

A short review of CVE-2026-44751, a high severity missing authorization vulnerability in SAP Application Server ABAP that allows authenticated users to overwrite other users' report data and escalate privileges. Patch information and affected version details are included.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

Brief Summary: CVE-2026-44751 — SAP ABAP Missing Authorization Check Enables Privilege Escalation via Report Generation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing authorization check in SAP Application Server ABAP's report generation functionality allows any authenticated user to overwrite executable reports owned by other users, achieving privilege escalation with a CVSS 7.1 rating. For organizations running SAP as the backbone of their financial and operational processes, this vulnerability quietly undermines the integrity of business data without triggering confidentiality alarms, making it particularly insidious to detect through conventional monitoring.

This flaw, tracked as CVE-2026-44751 and disclosed on June 9, 2026, continues a pattern of CWE-862 (Missing Authorization) defects that have appeared in every SAP Security Patch Day cycle throughout 2026. With SAP's products deployed across more than 157 countries and underpinning the operations of most Fortune 500 companies, the potential blast radius is substantial.

Technical Information

Root Cause: Missing AUTHORITY-CHECK in Report Generation

CVE-2026-44751 is classified under CWE-862 (Missing Authorization), a weakness where the application does not perform an authorization check when an actor attempts to access a resource or perform an action. In the SAP ABAP runtime, the AUTHORITY-CHECK statement is the primary mechanism for enforcing role-based access control. Every sensitive operation in ABAP code is expected to include an AUTHORITY-CHECK call that validates the current user's authorization objects before proceeding. When this statement is absent, the entire role-based security model is bypassed for that code path.

The vulnerability exists in the SAP_BASIS layer of the SAP Application Server ABAP, specifically within the report generation functionality. As stated in the CVE record, the application server ABAP "does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges."

The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, which breaks down as follows:

Vector ComponentValueMeaning
Attack Vector (AV)NetworkExploitable remotely
Attack Complexity (AC)LowNo special conditions required
Privileges Required (PR)LowAny authenticated user
User Interaction (UI)NoneNo victim action needed
Scope (S)UnchangedImpact limited to vulnerable component
Confidentiality (C)NoneNo data disclosure
Integrity (I)HighFull modification of data
Availability (A)LowMinor disruption possible

Attack Flow

The exploitation of CVE-2026-44751 follows a straightforward sequence:

  1. Authentication: The attacker authenticates to the SAP system with any valid user account. No administrative or elevated privileges are required; a standard dialog user with minimal role assignments is sufficient.

  2. Report generation invocation: The attacker triggers the report generation function within the ABAP application server. This could be done through a transaction, an RFC call, or any interface that reaches the vulnerable code path. Because the code lacks an AUTHORITY-CHECK statement, the system does not verify whether the user is authorized to generate that specific report or write to the target output destination.

  3. Data overwrite: The report generation command writes output to a location or data object belonging to another user. This effectively overwrites the target user's information, which could include executable report variants, saved report outputs, or other user-specific data objects.

  4. Privilege escalation: By overwriting another user's report data, the attacker achieves privilege escalation. Depending on the nature of the overwritten data, this could allow the attacker to manipulate business logic, alter financial records, or inject malicious content into reports that other users subsequently execute.

The Integrity-First Impact Profile

A notable characteristic of this vulnerability is its impact profile: high integrity impact with no confidentiality impact. This means an attacker can corrupt or replace business data without the attack being visible to security monitoring tools focused on data exfiltration or unauthorized reads. Traditional SIEM rules that look for unusual data access patterns may not trigger, because the attacker is writing data rather than reading it. Organizations should consider this when designing detection strategies; change document logging and integrity monitoring become the primary detection mechanisms.

ABAP-Specific Context

Within SAP systems, missing authorization checks commonly occur in BAPIs (Business Application Programming Interfaces), RFC-enabled function modules, OData services, and ALV reports. SecurityBridge's analysis of this vulnerability class explains that "a missing SAP authority vulnerability check is a security flaw in which ABAP code fails to validate whether the current user possesses the required authorizations before executing a sensitive function or accessing protected data." The AUTHORITY-CHECK statement is not automatically enforced by the ABAP runtime; developers must explicitly include it in every sensitive code path. This manual enforcement model is the systemic root cause behind the recurring appearance of CWE-862 flaws in SAP products.

A directly comparable vulnerability, CVE-2026-0509, was addressed in the February 2026 SAP Patch Day. That flaw allowed "an authenticated, low-privileged user to perform background Remote Function Calls" without proper authorization checks in SAP NetWeaver Application Server ABAP and ABAP Platform. The pattern is consistent: missing AUTHORITY-CHECK statements in different ABAP code paths, each enabling a different unauthorized action.

Patch Information

SAP has released an official fix via SAP Security Note 3735546, published as part of the June 9, 2026 SAP Security Patch Day cycle. The CVE record on cve.org confirms SAP SE as the CNA and provides the authoritative vulnerability details.

The patch addresses the root cause by introducing the missing authorization checks into the affected report generation code path. This follows a well-established SAP remediation pattern for CWE-862 defects in ABAP. The same approach was used two months earlier in the analogous CVE-2026-34256 (SAP Note 3731908, April 2026 Patch Day), which was also rated CVSS 7.1 and dealt with a missing authorization check in SAP ERP and SAP S/4HANA that allowed overwriting of ABAP reports. In that April case, SecurityBridge confirmed the fix involved patching specific ABAP programs (RGJVCORG and RGJVCORX) to enforce proper authorization validation before report generation operations. SAP Note 3735546 applies the equivalent enforcement at the SAP_BASIS level for the report generation command exploited in CVE-2026-44751.

Affected SAP_BASIS Versions

The vulnerability affects SAP_BASIS across a wide range of versions: 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, and 816.

How to Apply the Patch

The full technical details of SAP Note 3735546, including specific correction instructions, affected kernel patch levels, and support package versions, are available exclusively through the authenticated SAP for Me portal at https://me.sap.com/notes/3735546. Customers should apply the note using transaction SNOTE (SAP Note Assistant) or by importing the relevant support package stack that includes the correction. As is standard for SAP Security Notes with high severity, SAP delivers fixes for support packages shipped within the last 24 months for all versions under mainstream and extended maintenance.

Compensating Controls

While the patch is being applied, the following compensating controls can reduce risk:

  • Restrict report generation transactions: Limit access to report generation transactions to only users who genuinely require them. Review authorization objects governing report output destinations.
  • Enforce principle of least privilege: Review and tighten role assignments across ABAP user accounts. Ensure low-privileged users cannot access report generation functions they do not need.
  • Monitor change logs: Activate and audit SAP change document logging for the affected objects. Since the vulnerability involves overwriting another user's data, change logs can help detect unauthorized modifications.
  • Enable SAP Security Audit Log: Use transactions SM19/SM20 to track report generation activities and correlate them with user sessions.

Affected Systems and Versions

The vulnerability affects the SAP Application Server ABAP component at the SAP_BASIS layer. The following specific versions are confirmed affected:

  • SAP_BASIS 700
  • SAP_BASIS 701
  • SAP_BASIS 702
  • SAP_BASIS 731
  • SAP_BASIS 740
  • SAP_BASIS 750
  • SAP_BASIS 751
  • SAP_BASIS 752
  • SAP_BASIS 753
  • SAP_BASIS 754
  • SAP_BASIS 755
  • SAP_BASIS 756
  • SAP_BASIS 757
  • SAP_BASIS 758
  • SAP_BASIS 816

This version range spans from SAP NetWeaver 7.0 through the latest SAP_BASIS releases, meaning virtually all actively maintained SAP ABAP systems are potentially affected. Organizations running any of these SAP_BASIS versions should prioritize applying SAP Security Note 3735546.

Vendor Security History

SAP's 2026 Security Patch Day history reveals a persistent pattern of CWE-862 (Missing Authorization) vulnerabilities in the ABAP platform:

MonthTotal NotesNotable ABAP Authorization CVEs
January 202617Multiple authorization flaws, 4 Critical (CVSS 9.1 to 9.9)
February 202626CVE-2026-0509: Missing auth check in ABAP RFC
March 202615Authorization flaws noted
April 202620CVE-2026-34256: Missing auth check in report generation (CVSS 7.1)
May 202615Supply chain attack vector, 2 Critical
June 2026PendingCVE-2026-44751: Missing auth check in report generation (CVSS 7.1)

The April 2026 vulnerability CVE-2026-34256 is particularly relevant as a direct predecessor. It shared the same CVSS score (7.1), the same CWE classification (CWE-862), and the same attack pattern (overwriting ABAP reports via missing authorization checks). The fix for that vulnerability involved patching specific ABAP programs to enforce proper authorization validation, and SAP Note 3735546 applies the equivalent enforcement for CVE-2026-44751.

Beyond the CWE-862 pattern, the confirmed wild exploitation of CVE-2025-42957 (CVSS 9.9) in September 2025 demonstrates that SAP ABAP vulnerabilities are not theoretical risks. SecurityWeek reported that this critical SAP S/4HANA code injection flaw "allowing full system takeover has been exploited in the wild." This precedent underscores the importance of treating CVE-2026-44751 as a pre-exploitation window and patching before threat actors develop exploits.

The recurring nature of these authorization bypass flaws suggests a systemic challenge in SAP's ABAP development process, likely related to the manual nature of AUTHORITY-CHECK enforcement and the massive volume of ABAP code across the platform. Organizations should invest in automated ABAP code scanning using SAP Code Inspector (SCI) or ABAP Test Cockpit (ATC) to detect missing AUTHORITY-CHECK statements proactively, rather than relying solely on monthly vendor patches.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization