Critical

Missing Authorization Check in SAP NetWeaver Application Server ABAP and ABAP Platform

IdentifiersCVE-2026-0509CWE-862· Missing Authorization

CVE-2026-0509 is a critical missing authorization check vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. In certain cases, the affected components allow an authenticated, low-privileged user to perform background Remote Function Calls (RFCs) without the required S_RFC authorization. This represents an authorization bypass condition in which the application fails to properly enforce the intended permission check before permitting execution of background RFC functionality. The issue affects SAP NetWeaver AS ABAP / ABAP Platform, including affected kernel and SAP_BASIS versions referenced in SAP’s February 2026 Security Patch Day materials, and is addressed by SAP Security Note 3674774.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a low-privileged authenticated user to bypass intended authorization controls and execute background RFC operations that should require S_RFC privileges. According to the provided content, the vulnerability has high impact on integrity and availability and no impact on confidentiality. In practice, this could allow unauthorized execution of backend operations, modification of application state or data, and disruption of business processes or service operation through unauthorized background function execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, review and restrict access for low-privileged authenticated users who can reach the affected RFC pathways, minimize assignment of roles that could interact with background RFC functionality, and review UCON and related authorization settings to reduce exposure. Closely monitor for unauthorized or anomalous background RFC activity and validate S_RFC-related access controls. However, the provided content indicates the primary corrective action is the vendor patch combined with the required profile-parameter change.

Remediation

Patch, then assume compromise.

Apply SAP Security Note 3674774 and the corresponding February 2026 SAP security updates for affected SAP NetWeaver Application Server ABAP / ABAP Platform components. The provided content states that remediation requires implementing a kernel update and setting a profile parameter. Because the fix may affect authorization behavior, Onapsis also noted that user-role adjustments and UCON settings may need to be reviewed and updated to avoid interrupting legitimate business processes after patching.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SAPAbap Platformapplication

SAPNetweaver Application Server Abapapplication

SAPNetweaver As Abap Kernelapplication

SAPNetweaver As Abap Krnl64nucapplication

SAPNetweaver As Abap Krnl64ucapplication

SAPSap Netweaver Application Server Abapapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

the hacker newsNews

Feb 11, 2026

Over 60 Software Vendors Issue Security Fixes Across OS, Cloud, and Network Platforms

A critical missing authorization check in SAP NetWeaver AS ABAP / ABAP Platform that could allow an authenticated low-privileged user to perform background RFC actions without required S_RFC authorization.

ca ccsNews

Feb 10, 2026

SAP security advisory - February 2026 monthly rollup (AV26-107) - Canadian Centre for Cyber Security

Unknown (SAP security advisory addressing a vulnerability in one or more SAP products listed in the notice).

cyber security newsNews

Feb 10, 2026

SAP Security Patch Day - Critical Code Injection Vulnerability Fixed in SAP CRM and SAP S/4HANA

A critical missing-authorization-check vulnerability in SAP NetWeaver AS ABAP / ABAP Platform allowing low-privilege authenticated users to bypass authorization controls.

security online infoNews

Feb 10, 2026

Critical SAP Alert: Code Injection (CVSS 9.9) Exposes S/4HANA Databases

Critical missing authorization check in SAP NetWeaver Application Server ABAP allowing low-privileged users to perform background RFCs without required S_RFC authorization, impacting integrity/availability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity12