CVE-2026-0508

High

Published: 10 February 2026

Published

10 February 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 2.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0508 is a high-severity Open Redirect (CWE-601) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AT-2 Literacy Training and Awareness

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

SI-10 Information Input Validation

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Open redirect in public-facing SAP app directly enables exploitation of the vulnerable application over the network.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain…

and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application.

Deeper analysisAI

CVE-2026-0508 is an open redirect vulnerability (CWE-601) in the SAP BusinessObjects Business Intelligence Platform. It enables an authenticated attacker with high privileges to insert a malicious URL within the application. When exploited, clicking the URL leads to an unvalidated redirect to an attacker-controlled domain, potentially resulting in the download of malicious content. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N), indicating high impacts on confidentiality and integrity with no availability effects. It was published on 2026-02-10.

An authenticated attacker possessing high privileges can exploit this vulnerability over the network by embedding a malicious URL in the application. Exploitation requires high attack complexity and user interaction, as a victim must click the URL, after which the scope changes to allow redirection to the attacker's domain. Successful exploitation enables the download of malicious content, compromising the confidentiality and integrity of affected systems.

SAP advisories provide mitigation details, including a patch referenced in SAP Note 3674246, available at https://me.sap.com/notes/3674246. Additional guidance is part of the SAP Security Patch Day at https://url.sap/sapsecuritypatchday.

Details

CWE(s): CWE-601

Affected Products

sap

businessobjects business intelligence platform

2025, 2027, 430

CVEs Like This One

CVE-2026-0490Same product: Sap Businessobjects Business Intelligence Platform

CVE-2026-0485Same product: Sap Businessobjects Business Intelligence Platform

CVE-2025-0061Same product: Sap Businessobjects Business Intelligence Platform

CVE-2025-0064Same product: Sap Businessobjects Business Intelligence Platform

CVE-2026-24322Same vendor: Sap

CVE-2025-0066Same vendor: Sap

CVE-2025-50067Shared CWE-601

CVE-2026-23687Same vendor: Sap

CVE-2026-40905Shared CWE-601

CVE-2026-0488Same vendor: Sap

References

https://me.sap.com/notes/3674246
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Vendor Advisory · cna@sap.com