CVE-2026-0490
Published: 10 February 2026
Summary
CVE-2026-0490 is a high-severity Missing Authorization (CWE-862) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-0490 affects the SAP BusinessObjects BI Platform, where an unauthenticated attacker can craft a specific network request to a trusted endpoint. This request breaks the authentication mechanism, preventing legitimate users from accessing the platform. The vulnerability has a high impact on availability but no impact on confidentiality or integrity, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-862 (Missing Authorization).
An attacker requires only network access to the vulnerable endpoint, with low attack complexity, no privileges, and no user interaction. By sending the crafted request, the attacker disrupts authentication services, causing a denial-of-service condition that blocks legitimate users from the BI Platform.
SAP provides mitigation details in security note 3654236 at https://me.sap.com/notes/3654236 and as part of SAP Security Patch Day at https://url.sap/sapsecuritypatchday, where patches and remediation steps are available for affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6473
Vulnerability details
SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on…
more
the availability but no impact on the confidentiality and integrity.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing SAP endpoint (T1190) via crafted request leading to application DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent unauthenticated attackers from accessing the trusted endpoint and breaking the authentication mechanism.
Protects against denial-of-service events like the crafted network request that disrupts authentication and blocks legitimate user access.
Requires timely remediation of flaws, including application of SAP patches from security note 3654236, to eliminate the specific authentication-breaking vulnerability.