CVE-2026-44748 - Vulnerability Details - OpenCVE

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://me.sap.com/notes/3746332
https://url.sap/sapsecuritypatchday

History

Tue, 09 Jun 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.
Title		XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform
Weaknesses		CWE-347
References		https://me.sap.com/notes/3746332 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-06-09T00:20:58.456Z

Updated: 2026-06-09T00:20:58.456Z

Reserved: 2026-05-07T18:16:34.195Z

Link: CVE-2026-44748

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:46.603

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-44748

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T02:30:26Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44748", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-05-07T18:16:34.195Z", "datePublished": "2026-06-09T00:20:58.456Z", "dateUpdated": "2026-06-09T00:20:58.456Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-06-09T00:20:58.456Z"}, "title": "XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP NetWeaver AS ABAP and ABAP Platform", "versions": [{"status": "affected", "version": "SAP_BASIS 702"}, {"status": "affected", "version": "SAP_BASIS 731"}, {"status": "affected", "version": "SAP_BASIS 740"}, {"status": "affected", "version": "SAP_BASIS 750"}, {"status": "affected", "version": "SAP_BASIS 751"}, {"status": "affected", "version": "SAP_BASIS 752"}, {"status": "affected", "version": "SAP_BASIS 753"}, {"status": "affected", "version": "SAP_BASIS 754"}, {"status": "affected", "version": "SAP_BASIS 755"}, {"status": "affected", "version": "SAP_BASIS 756"}, {"status": "affected", "version": "SAP_BASIS 757"}, {"status": "affected", "version": "SAP_BASIS 758"}, {"status": "affected", "version": "SAP_BASIS 816"}, {"status": "affected", "version": "SAP_BASIS 918"}, {"status": "affected", "version": "SAP_BASIS 919"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3746332"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}