CVE-2026-0506
Published: 13 January 2026
Summary
CVE-2026-0506 is a high-severity Missing Authorization (CWE-862) vulnerability in Sap Netweaver Application Server Abap. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for access to system resources, directly mitigating the missing authorization check in the vulnerable RFC function.
SI-2 mandates identification, reporting, and correction of system flaws, enabling timely patching of the authorization vulnerability as provided in SAP Note 3688703.
AC-6 enforces least privilege, limiting the potential impact of the authorization bypass by restricting low-privileged users from executing high-impact FORM routines.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in exposed RFC directly enables remote exploitation of the SAP ABAP application and allows low-privileged authenticated users to escalate via arbitrary FORM routine execution.
NVD Description
Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or…
more
modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.
Deeper analysisAI
CVE-2026-0506 is a Missing Authorization Check vulnerability (CWE-862) affecting SAP Application Server ABAP and ABAP Platform. It stems from inadequate authorization validation in an RFC function, enabling an authenticated attacker to execute arbitrary form routines (FORMs) within the ABAP system. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high impacts on integrity and availability with no confidentiality impact. It was published on January 13, 2026.
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By misusing the vulnerable RFC function, the attacker can execute FORM routines to write or modify data accessible through those routines and invoke exposed system functionality, potentially leading to unauthorized data alterations and disruptions in system availability.
SAP advisories provide mitigation details in Note 3688703 and as part of the SAP Security Patch Day at https://url.sap/sapsecuritypatchday. Security practitioners should apply the recommended patches to affected ABAP systems to address the authorization bypass.
Details
- CWE(s)