high2026-05-12SAP F&RCVE-2026-34259

OS Command Injection in SAP Forecasting & Replenishment

SAP Forecasting & Replenishment

Our Take

Admin-level OS command execution is a significant risk in any environment where F&R admins are not also OS administrators. If you run F&R, schedule this within two weeks. The "admin authorisations required" caveat reduces urgency but does not eliminate it.

Vulnerability Detail

Insufficient control over operating system commands in five function modules allows an authenticated attacker with administrative authorisations to execute arbitrary OS commands. The affected functions are not remote-enabled, but exploitation by a privileged user has high impact on confidentiality, integrity, and availability.

Workaround

Restrict administrative authorisations for F&R-related transactions. Review S_RFC and S_TCODE grants for the five affected function modules.

Patch Action

Apply SAP Note 3732471.

Affected Versions

SCM 702

712

713

714

Patch Info

CVSS Score

8.2

SAP Note

3732471 ↗

CVE

CVE-2026-34259

Published

2026-05-12

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches