CVE-2026-23689
Published: 10 February 2026
Summary
CVE-2026-23689 is a high-severity Unchecked Input for Loop Condition (CWE-606) vulnerability in Sap Supply Chain Management. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Denial-of-service protection directly mitigates resource exhaustion attacks by limiting rates, monitoring traffic, and employing techniques to prevent prolonged loop execution from large parameters.
Resource availability protections ensure system resources are safeguarded against unauthorized excessive consumption triggered by repeated invocations of the vulnerable function module.
Information input validation prevents exploitation by rejecting or sanitizing excessively large loop-control parameters in remote-enabled function module requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application-level resource exhaustion DoS via crafted remote function calls exploiting uncontrolled loop/parameter handling.
NVD Description
Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes…
more
excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.
Deeper analysisAI
CVE-2026-23689 is an uncontrolled resource consumption vulnerability, classified as a Denial of Service (DoS), affecting a remote-enabled function module in SAP software. An authenticated attacker with regular user privileges and network access can exploit it by repeatedly invoking the module with an excessively large loop-control parameter, triggering prolonged loop execution that consumes excessive system resources and potentially renders the system unavailable. The vulnerability impacts availability only, with no effect on confidentiality or integrity, and is associated with CWE-606 (Uncontrolled Error Condition) and CWE-770 (Allocation of Resources Without Limits or Throttling). It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
An attacker requires authentication as a regular user with network access to the vulnerable SAP system. Exploitation involves sending crafted requests to the remote-enabled function module, specifying a large loop-control parameter that causes extended computation and resource exhaustion, such as high CPU usage. Successful attacks lead to a denial-of-service condition, making the system unresponsive and disrupting services for all users.
SAP advisories provide mitigation details, including patches available via SAP Security Patch Day at https://url.sap/sapsecuritypatchday and specific guidance in SAP Note 3703092 at https://me.sap.com/notes/3703092. Security practitioners should review these resources for applicable updates and configuration recommendations to address the vulnerability.
Details
- CWE(s)