high2026-04-14SAP ERP / S/4HANACVE-2026-34256

Missing Authorization check in SAP ERP and SAP S/4HANA

SAP ERP and SAP S/4HANA (Private Cloud and On-Premise)

Our Take

Overwriting executable programs without authorization is a meaningful integrity risk — especially in audited finance environments. Not a drop-everything emergency, but this should go into your next planned change window within two weeks. Wide version coverage across ERP and S/4HANA means most shops are affected.

Vulnerability Detail

An authenticated attacker can execute a specific ABAP program to overwrite any existing eight-character executable program without authorization. Impacts availability and integrity of the affected report. Confidentiality is not affected.

Patch Action

Apply SAP Note 3731908.

Affected Versions

SAP_FIN 618/720/730

EA-FIN 617/700

SAPSCORE 135

S4CORE 102–109

EA-APPL 600–606

Patch Info

CVSS Score

7.1

SAP Note

3731908 ↗

CVE

CVE-2026-34256

Published

2026-04-14

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches