CVE-2026-27681

Critical

Published: 14 April 2026

Published

14 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0005 16.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27681 is a critical-severity SQL Injection (CWE-89) vulnerability in Sap (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing the insufficient authorization checks that enable SQL injection.

SI-10 Information Input Validation good match

prevent

Validates information inputs to prevent execution of crafted SQL statements that bypass authorization.

AC-6 Least Privilege partial match

prevent

Applies least privilege to authenticated users, limiting the scope and impact of unauthorized database operations via SQL injection.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing SAP app directly enables T1190 exploitation; resulting DB read access maps to T1213.006 while modify/delete actions map to T1565.001 and T1485.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity,…

and availability of the system.

Deeper analysisAI

CVE-2026-27681 is a high-severity vulnerability stemming from insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse. It enables an authenticated user to execute crafted SQL statements, resulting in SQL injection (CWE-89) that allows reading, modifying, and deleting database data. The issue carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical impact on confidentiality, integrity, and availability. It was published on 2026-04-14.

An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. The vulnerability's changed scope (S:C) amplifies its effects, granting high-level database manipulation capabilities, including unauthorized data exfiltration, alteration, or destruction across the affected SAP components.

SAP advisories provide mitigation details in security note 3719353 and the SAP Security Patch Day page (https://me.sap.com/notes/3719353 and https://url.sap/sapsecuritypatchday). Security practitioners should review these for patch availability, implementation guidance, and any workarounds to address the authorization flaws.