CVE-2026-0491
Published: 13 January 2026
Summary
CVE-2026-0491 is a critical-severity Code Injection (CWE-94) vulnerability in Sap (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific authorization bypass and code injection vulnerability in the SAP RFC function module via timely application of vendor patches.
Validates inputs to the vulnerable RFC-exposed function module to block arbitrary ABAP code or OS command injection.
Restricts high-privilege administrative access required for exploitation, minimizing the attack surface for this PR:H vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables arbitrary ABAP/OS command injection (CWE-94) over network-accessible RFC after auth, directly facilitating RCE on enterprise system (T1190) and command/script execution (T1059).
NVD Description
SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively…
more
functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
Deeper analysisAI
CVE-2026-0491 is a critical vulnerability in SAP Landscape Transformation, affecting a function module exposed via RFC. It allows an attacker with administrative privileges to inject arbitrary ABAP code or OS commands into the system, bypassing essential authorization checks. This flaw effectively acts as a backdoor, posing a severe risk of full system compromise and undermining the confidentiality, integrity, and availability of the affected system. The vulnerability is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-94 (Code Injection).
An attacker requires high-privilege administrative access to exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables the execution of arbitrary code, potentially leading to complete control over the SAP system, including the ability to escalate privileges, exfiltrate data, modify configurations, or disrupt operations.
SAP advisories, including security note 3697979 available at https://me.sap.com/notes/3697979 and details from the SAP Security Patch Day at https://url.sap/sapsecuritypatchday, provide information on patches and mitigation steps to address this issue.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: backdoor