medium2026-06-09SAP BW/4HANACVE-2026-44754

Missing Caller ID Check in SAP BW Operational Data Provisioning APIs

SAP BW/4HANA and BW on HANA (ODP APIs)

Our Take

ODP is the backbone of SAP's modern data extraction architecture — it feeds BW, CDS views, and third-party data pipelines. Unauthorised access to ODP APIs is a data governance and compliance concern as much as a security one. Next planned window.

Vulnerability Detail

A missing caller identification check in the Operational Data Provisioning (ODP) APIs of SAP BW/4HANA and BW on HANA allows an authenticated attacker to invoke ODP APIs without proper caller verification, potentially accessing or manipulating data extraction pipelines and underlying data sources.

Patch Action

Apply SAP Note 3748819.

Affected Versions

SAP_BW 750–758

BW4HANA 200

300

Patch Info

CVSS Score

6.6

SAP Note

3748819 ↗

CVE

CVE-2026-44754

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches