medium2026-04-14SAP NetWeaverCVE-2026-34257

Open Redirect vulnerability in SAP NetWeaver AS ABAP

SAP NetWeaver Application Server ABAP

Our Take

Broad version coverage across virtually every BASIS release makes this relevant to almost everyone. Open redirects are phishing enablers — low exploitation complexity. Next planned window.

Vulnerability Detail

An unauthenticated attacker can craft malicious URLs that, when accessed by a victim, redirect them to an attacker-controlled page. Affects confidentiality and integrity through potential phishing vectors.

Workaround

Extend the allow list in Unified Connectivity (UCON) or table HTTP_WHITELIST on older releases without UCON.

Patch Action

Apply SAP Note 3692004. Post-patch: extend UCON allow list or HTTP_WHITELIST as needed.

Affected Versions

SAP_BASIS 700

701

702

731

740

750

752

753

754

755

756

757

758

816

Patch Info

Timing

🟡 Next patch window

CVSS Score

6.1

SAP Note

3692004 ↗

CVE

CVE-2026-34257

Published

2026-04-14

Timing recommendations are editorial. Verify against official SAP Security Notes before acting on production systems.

← All patches