Cyber Resilience

CVE-2026-0490

High

Published: 10 February 2026

Published
10 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0490 is a high-severity Missing Authorization (CWE-862) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-0490 affects the SAP BusinessObjects BI Platform, where an unauthenticated attacker can craft a specific network request to a trusted endpoint. This request breaks the authentication mechanism, preventing legitimate users from accessing the platform. The vulnerability has a high impact on availability but no impact on confidentiality or integrity, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-862 (Missing Authorization).

An attacker requires only network access to the vulnerable endpoint, with low attack complexity, no privileges, and no user interaction. By sending the crafted request, the attacker disrupts authentication services, causing a denial-of-service condition that blocks legitimate users from the BI Platform.

SAP provides mitigation details in security note 3654236 at https://me.sap.com/notes/3654236 and as part of SAP Security Patch Day at https://url.sap/sapsecuritypatchday, where patches and remediation steps are available for affected systems.

EU & UK References

Vulnerability details

SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on…

more

the availability but no impact on the confidentiality and integrity.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of public-facing SAP endpoint (T1190) via crafted request leading to application DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0485Same product: Sap Businessobjects Business Intelligence Platform
CVE-2026-0508Same product: Sap Businessobjects Business Intelligence Platform
CVE-2025-0061Same product: Sap Businessobjects Business Intelligence Platform
CVE-2025-0064Same product: Sap Businessobjects Business Intelligence Platform
CVE-2026-24322Same vendor: Sap
CVE-2026-0509Same vendor: Sap
CVE-2026-0506Same vendor: Sap
CVE-2026-0488Same vendor: Sap
CVE-2026-23689Same vendor: Sap
CVE-2026-27388Shared CWE-862

Affected Assets

sap
businessobjects business intelligence platform
2025, 2027, 430

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthenticated attackers from accessing the trusted endpoint and breaking the authentication mechanism.

prevent

Protects against denial-of-service events like the crafted network request that disrupts authentication and blocks legitimate user access.

prevent

Requires timely remediation of flaws, including application of SAP patches from security note 3654236, to eliminate the specific authentication-breaking vulnerability.

References