high2026-04-14SAP ERP / S/4HANACVE-2026-34256

Missing Authorization check in SAP ERP and SAP S/4HANA

SAP ERP and SAP S/4HANA (Private Cloud and On-Premise)

Our Take

Overwriting executable programs without authorization is a meaningful integrity risk — especially in audited finance environments. Not a drop-everything emergency, but this should go into your next planned change window within two weeks. Wide version coverage across ERP and S/4HANA means most shops are affected.

Vulnerability Detail

An authenticated attacker can execute a specific ABAP program to overwrite any existing eight-character executable program without authorization. Impacts availability and integrity of the affected report. Confidentiality is not affected.

Patch Action

Apply SAP Note 3731908.

Affected Versions

SAP_FIN 618/720/730

EA-FIN 617/700

SAPSCORE 135

S4CORE 102–109

EA-APPL 600–606

Patch Info

Timing

🟠 Within 2 weeks

CVSS Score

7.1

SAP Note

3731908 ↗

CVE

CVE-2026-34256

Published

2026-04-14

Timing recommendations are editorial. Verify against official SAP Security Notes before acting on production systems.

← All patches