CVE-2026-0490
Published: 10 February 2026
Summary
CVE-2026-0490 is a high-severity Missing Authorization (CWE-862) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing SAP endpoint (T1190) via crafted request leading to application DoS (T1499.004).
NVD Description
SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on…
more
the availability but no impact on the confidentiality and integrity.
Deeper analysisAI
CVE-2026-0490 affects the SAP BusinessObjects BI Platform, where an unauthenticated attacker can craft a specific network request to a trusted endpoint. This request breaks the authentication mechanism, preventing legitimate users from accessing the platform. The vulnerability has a high impact on availability but no impact on confidentiality or integrity, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-862 (Missing Authorization).
An attacker requires only network access to the vulnerable endpoint, with low attack complexity, no privileges, and no user interaction. By sending the crafted request, the attacker disrupts authentication services, causing a denial-of-service condition that blocks legitimate users from the BI Platform.
SAP provides mitigation details in security note 3654236 at https://me.sap.com/notes/3654236 and as part of SAP Security Patch Day at https://url.sap/sapsecuritypatchday, where patches and remediation steps are available for affected systems.
Details
- CWE(s)