CVE-2026-0488

Critical

Published: 10 February 2026

Published

10 February 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 6.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0488 is a critical-severity Missing Authorization (CWE-862) vulnerability in Sap Webclient Ui Framework. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the vulnerability by applying SAP-provided patches from security note 3697099 to fix the flawed generic function module call.

SI-10 Information Input Validation good match

prevent

Validates inputs to the Scripting Editor and function module to block arbitrary SQL statement execution and prevent database compromise.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to critical functionalities in the generic function module, addressing the CWE-862 missing authorization flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Missing authorization (CWE-862) in network-accessible Scripting Editor enables authenticated low-priv attacker to run arbitrary SQL, directly mapping to public app exploitation and priv esc to full DB control.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a…

full database compromise with high impact on confidentiality, integrity, and availability.

Deeper analysisAI

CVE-2026-0488 is a critical vulnerability affecting the Scripting Editor in SAP CRM and SAP S/4HANA. It arises from a flaw in a generic function module call (CWE-862) that enables an authenticated attacker to execute unauthorized critical functionalities, including arbitrary SQL statements. This vulnerability leads to full database compromise, with severe impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An attacker requires only low-privilege authenticated access to exploit this issue over the network, with low attack complexity and no user interaction needed. Exploitation occurs through the Scripting Editor, allowing the execution of arbitrary SQL statements that grant complete control over the database, enabling data exfiltration, tampering, deletion, or other destructive actions.

SAP advisories provide mitigation details in security note 3697099 (https://me.sap.com/notes/3697099) and as part of SAP Security Patch Day (https://url.sap/sapsecuritypatchday), where patches and implementation guidance are available for affected systems.

Details

CWE(s): CWE-862

Affected Products

sap

netweaver application server abap

700

sap

s\/4hana

102, 103, 104, 105, 106

sap

webclient ui framework

700, 701, 730, 731, 746

CVEs Like This One

CVE-2026-0506Same product: Sap Netweaver Application Server Abap

CVE-2026-24322Same vendor: Sap

CVE-2026-0490Same vendor: Sap

CVE-2026-0509Same vendor: Sap

CVE-2025-0066Same vendor: Sap

CVE-2025-0063Same vendor: Sap

CVE-2026-22683Shared CWE-862

CVE-2026-41454Shared CWE-862

CVE-2025-67967Shared CWE-862

CVE-2025-12158Shared CWE-862

References

https://me.sap.com/notes/3697099
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Vendor Advisory · cna@sap.com