PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44753 SAP_SE CVE debrief

SAP HANA Database user self-service tools allow an unauthenticated user to send specially crafted requests that produce distinguishable responses. This enables enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application. The vulnerability has been assigned a CVSS score of 3.7, indicating a low severity.

Vendor
SAP_SE
Product
SAP HANA Extended Application Services classic model (User Self Service)
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Security teams and administrators responsible for SAP HANA Database systems should be aware of this vulnerability and take steps to mitigate it. They should review and apply vendor patches or updates, implement compensating controls, conduct inventory checks to identify affected systems, and consider disabling user self-service tools if not required. Additionally, they should monitor and track exceptions, and retest remediated assets to ensure that the vulnerability is properly addressed.

Technical summary

The vulnerability exists in the user self-service tools of SAP HANA Database. An unauthenticated user can send specially crafted requests that produce distinguishable responses, allowing for the enumeration of valid user accounts and email addresses. The CVSS score for this vulnerability is 3.7, indicating a low severity. The vulnerability has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability can be mitigated by applying vendor patches or updates, implementing compensating controls, and conducting inventory checks to identify affected systems.

Defensive priority

Low priority, as the impact on confidentiality is low and there is no impact on integrity and availability.

Recommended defensive actions

  • Review and apply vendor patches or updates
  • Implement compensating controls, such as monitoring and exception tracking
  • Conduct inventory checks to identify affected systems
  • Consider disabling user self-service tools if not required
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-14T01:16:17.683Z and has not been modified since then. The NVD entry is currently receiving updates. SAP has provided references for this vulnerability, including note 3732522 and a security patch day URL. The vulnerability exists in the user self-service tools of SAP HANA Database, and an unauthenticated user can send specially crafted requests that produce distinguishable responses, allowing for the enumeration of valid user accounts and email addresses.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T01:16:17.683Z and has not been modified since then. The NVD entry is currently receiving updates.