PatchSiren cyber security CVE debrief
CVE-2026-44753 SAP_SE CVE debrief
SAP HANA Database user self-service tools allow an unauthenticated user to send specially crafted requests that produce distinguishable responses. This enables enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application. The vulnerability has been assigned a CVSS score of 3.7, indicating a low severity.
- Vendor
- SAP_SE
- Product
- SAP HANA Extended Application Services classic model (User Self Service)
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Security teams and administrators responsible for SAP HANA Database systems should be aware of this vulnerability and take steps to mitigate it. They should review and apply vendor patches or updates, implement compensating controls, conduct inventory checks to identify affected systems, and consider disabling user self-service tools if not required. Additionally, they should monitor and track exceptions, and retest remediated assets to ensure that the vulnerability is properly addressed.
Technical summary
The vulnerability exists in the user self-service tools of SAP HANA Database. An unauthenticated user can send specially crafted requests that produce distinguishable responses, allowing for the enumeration of valid user accounts and email addresses. The CVSS score for this vulnerability is 3.7, indicating a low severity. The vulnerability has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability can be mitigated by applying vendor patches or updates, implementing compensating controls, and conducting inventory checks to identify affected systems.
Defensive priority
Low priority, as the impact on confidentiality is low and there is no impact on integrity and availability.
Recommended defensive actions
- Review and apply vendor patches or updates
- Implement compensating controls, such as monitoring and exception tracking
- Conduct inventory checks to identify affected systems
- Consider disabling user self-service tools if not required
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-14T01:16:17.683Z and has not been modified since then. The NVD entry is currently receiving updates. SAP has provided references for this vulnerability, including note 3732522 and a security patch day URL. The vulnerability exists in the user self-service tools of SAP HANA Database, and an unauthenticated user can send specially crafted requests that produce distinguishable responses, allowing for the enumeration of valid user accounts and email addresses.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T01:16:17.683Z and has not been modified since then. The NVD entry is currently receiving updates.