low2026-07-14SAP HANACVE-2026-44753
Information Disclosure via Distinguishable Responses in SAP HANA XS Classic
SAP HANA Extended Application Services Classic (XS Classic) — User Self Service
Our Take
XS Classic is a legacy HANA application server technology — if you still run it, include this in your next quarterly HANA maintenance cycle. Username enumeration is low severity in isolation but pairs with credential stuffing attacks.
Vulnerability Detail
An information disclosure vulnerability in the User Self Service component of SAP HANA Extended Application Services Classic (XS Classic) allows an unauthenticated attacker to enumerate valid usernames by observing differences in server responses to valid versus invalid user inputs during password reset or login flows.
Patch Action
Apply SAP Note 3732522. Verify affected versions in the official SAP Note.
Patch Info