Cyber Resilience

CVE-2026-0501

Critical

Published: 13 January 2026

Published
13 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0041 33.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0501 is a critical-severity SQL Injection (CWE-89) vulnerability in Sap (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0501 is a SQL injection vulnerability stemming from insufficient input validation in the Financials General Ledger component of SAP S/4HANA Private Cloud and On-Premise editions. Published on 2026-01-13, it enables an authenticated user to execute crafted SQL queries against the backend database, allowing unauthorized reading, modification, and deletion of data. The flaw, classified under CWE-89, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting critical severity with high impacts on confidentiality, integrity, and availability.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants the ability to perform arbitrary SQL operations, potentially leading to complete compromise of sensitive financial data and disruption of application services.

SAP advisories provide mitigation through security note 3687749 at https://me.sap.com/notes/3687749 and details on the SAP Security Patch Day at https://url.sap/sapsecuritypatchday, where administrators are directed to apply the corresponding patches to address the input validation issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality,…

more

integrity, and availability of the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in network-accessible SAP application directly enables exploitation of a vulnerable public-facing or enterprise app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of CVE-2026-0501 by requiring validation of information inputs to prevent crafted SQL injection queries.

prevent

Mandates timely remediation of known flaws like this SQL injection vulnerability through patching as provided in SAP security note 3687749.

detect

Enables vulnerability scanning to identify SQL injection flaws such as CVE-2026-0501 in SAP S/4HANA for proactive remediation.

References