high2026-06-09SAP NetWeaverCVE-2026-44751

Missing Authorization Check in SAP NetWeaver ABAP Dictionary

SAP NetWeaver and ABAP Platform (ABAP Dictionary Access Control)

Our Take

Extremely broad BASIS version coverage — every ABAP system from BASIS 700 to 816. The ABAP Dictionary underpins every custom development and configuration in an SAP landscape; unauthorised write access to it is not a minor misconfiguration. Schedule within two weeks.

Vulnerability Detail

Missing authorisation check in the ABAP Dictionary (BC-DWB-DIC-AC) component of SAP NetWeaver and ABAP Platform allows an authenticated attacker with low privileges to access or modify ABAP Dictionary objects beyond their intended permissions. The ABAP Dictionary is the central repository for data definitions — unauthorised write access could facilitate data manipulation or privilege escalation.

Workaround

Review and tighten S_DEVELOP and S_TABU_DIS authorisations for non-developer roles.

Patch Action

Apply SAP Note 3735546.

Affected Versions

SAP_BASIS 700

701

702

731

740

750

751

752

753

754

755

756

757

758

816

Patch Info

CVSS Score

7.1

SAP Note

3735546 ↗

CVE

CVE-2026-44751

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches