CVE-2026-0509

Published Feb 10, 2026

Last updated 15 days ago

CVSS critical 9.6

SAP

Overview

Description: SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.
Source: cna@sap.com
NVD status: Analyzed
Products: netweaver_as_abap_kernel, netweaver_as_abap_krnl64nuc, netweaver_as_abap_krnl64uc

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.6
Impact score: 5.8
Exploitability score: 3.1
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Severity: CRITICAL

Weaknesses

cna@sap.com: CWE-862

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:*:*:*:*:*:*:*",
            "matchCriteriaId": "FE603A80-8FF0-4180-9E11-C468AE2441C7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.53:*:*:*:*:*:*:*",
            "matchCriteriaId": "7EB97250-22A3-4BA6-8498-59ED0E81E3CC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:*:*:*:*:*:*:*",
            "matchCriteriaId": "7F5D31D3-B2B2-4347-B8DF-D06056289598",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:*:*:*:*:*:*:*",
            "matchCriteriaId": "50570852-982E-40CA-B391-3FB8B9373F78",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:*:*:*:*:*:*:*",
            "matchCriteriaId": "B8B74AD9-A83E-45DD-96C2-4F3C8C8C6AE6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:*:*:*:*:*:*:*",
            "matchCriteriaId": "237DBA4A-B5A9-48C9-B6A3-D293BB66EF69",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:*:*:*:*:*:*:*",
            "matchCriteriaId": "3668B2D9-0A4C-43F5-B248-9A6438AF7D71",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:*:*:*:*:*:*:*",
            "matchCriteriaId": "1BC9779B-7571-44F7-BCCC-6BF2834ED779",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.19:*:*:*:*:*:*:*",
            "matchCriteriaId": "D243C94B-F182-48A0-9775-4B193B913B8E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:*:*:*:*:*:*:*",
            "matchCriteriaId": "02507EB2-8776-4EA9-9164-B2F6AD911B59",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:*:*:*:*:*:*:*",
            "matchCriteriaId": "7867ADA5-47AA-48DD-9CAC-D3ACB5713CB3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:*:*:*:*:*:*:*",
            "matchCriteriaId": "B5E3292A-7311-4821-A52E-8FB4A1449D44",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22ext:*:*:*:*:*:*:*",
            "matchCriteriaId": "171A52A4-8383-47D9-89D4-FC44CA84DA49",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.53:*:*:*:*:*:*:*",
            "matchCriteriaId": "B1190FF1-8D50-4424-AE21-6AE562D5C6B1",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References