Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
SAP S/4HANA: Unauthorized Updates and Deletions of Company Data
CVE-2026-27678
Summary
An attacker can update and delete sensitive company data without permission. This could lead to financial loss or disruption of business operations. Organizations should apply the latest security patches to prevent unauthorized changes.
Original title
Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without pro...
Original description
Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
nvd CVSS3.1
6.5
Vulnerability type
CWE-862
Missing Authorization
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026