{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-27679","assignerOrgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","state":"PUBLISHED","assignerShortName":"sap","dateReserved":"2026-02-23T17:50:10.513Z","datePublished":"2026-04-14T00:07:44.698Z","dateUpdated":"2026-04-14T13:14:18.168Z"},"containers":{"cna":{"providerMetadata":{"orgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","shortName":"sap","dateUpdated":"2026-04-14T00:07:44.698Z"},"title":"Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)","problemTypes":[{"descriptions":[{"lang":"eng","cweId":"CWE-862","description":"CWE-862: Missing Authorization","type":"CWE"}]}],"affected":[{"vendor":"SAP_SE","product":"SAP S/4HANA Frontend OData Service (Manage Reference Structures)","versions":[{"status":"affected","version":"UIS4H 109"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.</p>"}]}],"references":[{"url":"https://me.sap.com/notes/3716767"},{"url":"https://url.sap/sapsecuritypatchday"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2026-27679","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-04-14T12:54:36.424036Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-14T13:14:18.168Z"}}]}}