low2026-07-14SAP HANACVE-2026-44753

Information Disclosure via Distinguishable Responses in SAP HANA XS Classic

SAP HANA Extended Application Services Classic (XS Classic) — User Self Service

Our Take

XS Classic is a legacy HANA application server technology — if you still run it, include this in your next quarterly HANA maintenance cycle. Username enumeration is low severity in isolation but pairs with credential stuffing attacks.

Vulnerability Detail

An information disclosure vulnerability in the User Self Service component of SAP HANA Extended Application Services Classic (XS Classic) allows an unauthenticated attacker to enumerate valid usernames by observing differences in server responses to valid versus invalid user inputs during password reset or login flows.

Patch Action

Apply SAP Note 3732522. Verify affected versions in the official SAP Note.

Patch Info

CVSS Score

3.7

SAP Note

3732522

CVE

CVE-2026-44753

Published

2026-07-14

← All patches