PatchSiren cyber security CVE debrief
CVE-2026-44754 SAP_SE CVE debrief
CVE-2026-44754 is a medium-severity vulnerability affecting the Operational Data Provisioning Data Replication API (ODP-RFC) of an unspecified SAP product. The Remote Function Call (RFC) modules of ODP-RFC are missing caller identification of permitted SAP-internal applications, allowing customer or third-party applications to use them in unintended ways. This could lead to the disclosure of data, but does not affect integrity and poses minimal availability concerns for the application. The CVSS score for this vulnerability is 6.6, indicating a medium severity.
- Vendor
- SAP_SE
- Product
- ODP Data Replication APIs
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Organizations using SAP products, particularly those utilizing the Operational Data Provisioning Data Replication API (ODP-RFC), should be aware of this vulnerability and take necessary steps to mitigate it.
Technical summary
The CVE-2026-44754 vulnerability is caused by the lack of caller identification for permitted SAP-internal applications in the Remote Function Call (RFC) modules of ODP-RFC. This allows customer or third-party applications to use these modules in ways that are not aligned with their intended usage, potentially leading to data disclosure.
Defensive priority
medium
Recommended defensive actions
- Apply patches or updates provided by SAP to address the vulnerability.
- Review and restrict usage of ODP-RFC modules to ensure only authorized applications can access them.
- Monitor systems for potential misuse of ODP-RFC modules.
Evidence notes
The CVE-2026-44754 vulnerability was published on June 9, 2026, and last modified on June 9, 2026. The CVSS score for this vulnerability is 6.6, indicating a medium severity. The CWE associated with this vulnerability is CWE-862.
Official resources
CVE-2026-44754 was published on [cvePublishedAt] and last modified on [cveModifiedAt].