CVE-2026-27681

Name of the Vulnerable Software and Affected Versions SAP Business Planning and Consolidation (affected versions not specified) SAP Business Warehouse (affected versions not specified)

Description Insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse allow an authenticated user with low privileges to execute crafted SQL statements over the network. This issue occurs because a vulnerable ABAP program allows the upload of files containing arbitrary SQL statements, which are then executed. This can lead to arbitrary database command execution, enabling attackers to read, modify, and delete database data, as well as escalate privileges and move laterally across networks via database compromise. This significantly impacts the confidentiality, integrity, and availability of the system.

Recommendations Apply the updates provided in the April Patch Tuesday release for SAP Business Planning and Consolidation. Apply the updates provided in the April Patch Tuesday release for SAP Business Warehouse.