CVE-2026-44770 in S4 HANAinfo

Summary

by MITRE • 07/14/2026

SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the application.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability exists within SAP's Create Single Payment functionality where insufficient authorization controls allow restricted users to access specific entity set keys through authenticated sessions. The flaw represents a classic privilege escalation issue where proper access controls fail to validate user permissions against requested resources. According to CWE-285, this manifests as inadequate authorization checks that permit unauthorized data access. The vulnerability operates at the application level where authenticated users can exploit improperly enforced access restrictions to retrieve information they should not be permitted to view.

The technical implementation flaw occurs when the system fails to validate whether an authenticated user possesses sufficient privileges to access particular entity set keys within the payment processing framework. This authorization bypass allows malicious or curious restricted users to discover and potentially extract sensitive payment-related data that should only be accessible to authorized personnel with appropriate clearance levels. The vulnerability specifically impacts confidentiality as it enables information disclosure without affecting the integrity or availability of the system resources.

From an operational perspective, this weakness creates a risk profile that aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential access. While the impact on confidentiality is rated as low, the potential for data exposure remains significant particularly in financial environments where payment information constitutes sensitive business data. Attackers could leverage this vulnerability to gather intelligence about payment processing workflows, user roles, or transaction patterns that might inform more sophisticated attacks against the broader SAP ecosystem.

Organizations should implement comprehensive access control reviews focusing on entity set key restrictions within SAP systems. The mitigation strategy must include enforcing proper authorization checks at every interaction point where entity sets are accessed. Security controls should validate user permissions against requested resources before granting access, implementing role-based access controls that align with the principle of least privilege. Regular security testing and monitoring of authentication flows will help identify similar authorization gaps across other SAP modules and prevent exploitation of related vulnerabilities in the payment processing infrastructure.

Responsible

Sap

Reservation

05/07/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

medium

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!