Cyber Resilience

CVE-2026-0491

CriticalRCE

Published: 13 January 2026

Published
13 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0044 34.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0491 is a critical-severity Code Injection (CWE-94) vulnerability in Sap (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0491 is a critical vulnerability in SAP Landscape Transformation, affecting a function module exposed via RFC. It allows an attacker with administrative privileges to inject arbitrary ABAP code or OS commands into the system, bypassing essential authorization checks. This flaw effectively acts as a backdoor, posing a severe risk of full system compromise and undermining the confidentiality, integrity, and availability of the affected system. The vulnerability is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-94 (Code Injection).

An attacker requires high-privilege administrative access to exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables the execution of arbitrary code, potentially leading to complete control over the SAP system, including the ability to escalate privileges, exfiltrate data, modify configurations, or disrupt operations.

SAP advisories, including security note 3697979 available at https://me.sap.com/notes/3697979 and details from the SAP Security Patch Day at https://url.sap/sapsecuritypatchday, provide information on patches and mitigation steps to address this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively…

more

functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE enables arbitrary ABAP/OS command injection (CWE-94) over network-accessible RFC after auth, directly facilitating RCE on enterprise system (T1190) and command/script execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26045Shared CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-67979Shared CWE-94
CVE-2025-6000Shared CWE-94
CVE-2024-54756Shared CWE-94
CVE-2026-42898Shared CWE-94
CVE-2025-71281Shared CWE-94
CVE-2025-70830Shared CWE-94
CVE-2024-55022Shared CWE-94
CVE-2025-22906Shared CWE-94

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific authorization bypass and code injection vulnerability in the SAP RFC function module via timely application of vendor patches.

prevent

Validates inputs to the vulnerable RFC-exposed function module to block arbitrary ABAP code or OS command injection.

prevent

Restricts high-privilege administrative access required for exploitation, minimizing the attack surface for this PR:H vulnerability.

References