medium2026-05-12SAP S/4HANACVE-2026-40134

Missing Authorization Check in SAP Incentive & Commission Management

SAP Incentive & Commission Management

Our Take

Sales compensation data is sensitive — even if low severity, the audit and HR implications matter. Planned window.

Vulnerability Detail

Missing authorisation check in the Incentive & Commission Management functionality allows an authenticated attacker to access or modify incentive-related data without proper permissions.

Patch Action

Apply SAP Note 3718508.

Affected Versions

S4CORE 102–109

Patch Info

CVSS Score

4.3

SAP Note

3718508 ↗

CVE

CVE-2026-40134

Published

2026-05-12

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches