CVE-2026-0508
Published: 10 February 2026
Summary
CVE-2026-0508 is a high-severity Open Redirect (CWE-601) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0508 is an open redirect vulnerability (CWE-601) in the SAP BusinessObjects Business Intelligence Platform. It enables an authenticated attacker with high privileges to insert a malicious URL within the application. When exploited, clicking the URL leads to an unvalidated redirect to an attacker-controlled domain, potentially resulting in the download of malicious content. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N), indicating high impacts on confidentiality and integrity with no availability effects. It was published on 2026-02-10.
An authenticated attacker possessing high privileges can exploit this vulnerability over the network by embedding a malicious URL in the application. Exploitation requires high attack complexity and user interaction, as a victim must click the URL, after which the scope changes to allow redirection to the attacker's domain. Successful exploitation enables the download of malicious content, compromising the confidentiality and integrity of affected systems.
SAP advisories provide mitigation details, including a patch referenced in SAP Note 3674246, available at https://me.sap.com/notes/3674246. Additional guidance is part of the SAP Security Patch Day at https://url.sap/sapsecuritypatchday.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6388
Vulnerability details
The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain…
more
and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Open redirect in public-facing SAP app directly enables exploitation of the vulnerable application over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates all URL inputs before storage or use, directly blocking insertion of untrusted redirect targets in SAP BusinessObjects.
Enforces information flow rules that restrict redirects to only approved internal domains, stopping the unvalidated external redirection.
Filters application output containing redirect URLs to ensure they point only to trusted locations before the victim is sent to attacker-controlled content.