CVE-2026-44749 SAP_SE CVE debrief

Who should care

Organizations operating SAP environments with Gateway components, particularly those with external-facing or multi-tenant deployments. Security teams responsible for SAP vulnerability management and patch deployment. Compliance officers tracking information disclosure risks in enterprise resource planning systems.

Technical summary

The SAP Gateway component contains a vulnerability where attackers with low privileges can inject content into error messages. This injection capability may lead to disclosure of request artifacts including regular expression patterns and underlying URI parsing implementation details. The attack vector is network-based with low attack complexity, requiring low privileges and no user interaction. The confidentiality impact is rated low with no impact to integrity or availability. The vulnerability is classified as CWE-497, indicating exposure of sensitive system information to unauthorized control spheres through error handling mechanisms.

Defensive priority

medium

Recommended defensive actions

• Review SAP security note 3433366 for patch availability and deployment guidance
• Monitor SAP Gateway error message configurations for unexpected content injection
• Assess logging and monitoring controls for detection of anomalous error message patterns
• Evaluate access controls to SAP Gateway to enforce principle of least privilege
• Subscribe to SAP Security Patch Day notifications for ongoing vulnerability management

Evidence notes

Official CVE record confirms CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. SAP security note 3433366 provides vendor remediation guidance. CWE-497 classification indicates information disclosure through error messages.

Official resources