critical2026-02-11SAP NetWeaverCVE-2026-0509

Missing Authorization Check Allows RFC Background Calls Without S_RFC in SAP NetWeaver AS ABAP

SAP NetWeaver Application Server ABAP and ABAP Platform

Our Take

Wide kernel version coverage means this affects most NetWeaver ABAP landscapes. RFC authorization bypass at CVSS 9.6 is a significant privilege escalation path — anyone with any RFC-capable user account can potentially call function modules they should not have access to. Kernel updates require a brief system downtime but this one is worth scheduling immediately.

Vulnerability Detail

Authenticated low-privileged users can perform background Remote Function Calls without possessing the required S_RFC authorization. This can allow unauthorized access to RFC-enabled function modules, potentially enabling modification of critical system functions and disruption of operations.

Patch Action

Apply SAP Note 3674774. Kernel patch required — coordinate with BASIS team for kernel downtime.

Affected Versions

KRNL64NUC 7.22/7.22EXT

KERNEL 7.22/7.53/7.54/7.77/7.89/7.93/9.16/9.18/9.19

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.6

SAP Note

3674774 ↗

CVE

CVE-2026-0509

Published

2026-02-11

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches