CVE-2026-27678

Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures)

Description

Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.

INFO

Published Date :

2026-04-14T00:07:33.397Z

Last Modified :

2026-04-14T13:14:18.299Z

Source :

sap

AFFECTED PRODUCTS

The following products are affected by CVE-2026-27678 vulnerability.

Vendors	Products
Sap	S/4hana

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27678.

URL	Resource
https://me.sap.com/notes/3715177
https://url.sap/sapsecuritypatchday

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact