CVE-2025-26660
Broken Access Control in SAP Fiori apps (Posting Library)
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
11 Mar 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application, enabling them to potentially modify data. Confidentiality and Availability are not impacted.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products
SAP_SE · SAP Fiori apps (Posting Library)Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →