CVE-2026-0501
Published: 13 January 2026
Summary
CVE-2026-0501 is a critical-severity SQL Injection (CWE-89) vulnerability in Sap (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0501 is a SQL injection vulnerability stemming from insufficient input validation in the Financials General Ledger component of SAP S/4HANA Private Cloud and On-Premise editions. Published on 2026-01-13, it enables an authenticated user to execute crafted SQL queries against the backend database, allowing unauthorized reading, modification, and deletion of data. The flaw, classified under CWE-89, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting critical severity with high impacts on confidentiality, integrity, and availability.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants the ability to perform arbitrary SQL operations, potentially leading to complete compromise of sensitive financial data and disruption of application services.
SAP advisories provide mitigation through security note 3687749 at https://me.sap.com/notes/3687749 and details on the SAP Security Patch Day at https://url.sap/sapsecuritypatchday, where administrators are directed to apply the corresponding patches to address the input validation issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2383
Vulnerability details
Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality,…
more
integrity, and availability of the application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible SAP application directly enables exploitation of a vulnerable public-facing or enterprise app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of CVE-2026-0501 by requiring validation of information inputs to prevent crafted SQL injection queries.
Mandates timely remediation of known flaws like this SQL injection vulnerability through patching as provided in SAP security note 3687749.
Enables vulnerability scanning to identify SQL injection flaws such as CVE-2026-0501 in SAP S/4HANA for proactive remediation.