medium2026-04-14SAP S/4HANACVE-2026-34261

Missing Authorization check in SAP Business Analytics and SAP Content Management

SAP Business Analytics and SAP Content Management

Our Take

Authorization bypass on remote-enabled function modules is always worth addressing. Confidentiality impact is high per the CVSS detail. Next patch window.

Vulnerability Detail

Remote-enabled function modules allow an authenticated user to access sensitive information beyond their intended permissions. After patching, the vulnerable function modules are no longer accessible remotely.

Patch Action

Apply SAP Note 3705094.

Affected Versions

S4HCMRXX 100

101

102 / SAP_HRRXX 600

604

608

Patch Info

CVSS Score

6.5

SAP Note

3705094 ↗

CVE

CVE-2026-34261

Published

2026-04-14

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches