Plattform
sap
Komponente
sap-fiori-app-intercompany-balance-reconciliation
Behoben in
70.0.1
600.0.1
700.0.1
800.0.1
900.0.1
901.0.1
902.0.1
4.0.1
103.0.1
104.0.1
105.0.1
106.0.1
107.0.1
108.0.1
109.0.1
4.0.1
CVE-2026-0493 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the SAP Fiori App Intercompany Balance Reconciliation. This flaw allows an attacker to potentially trigger unintended actions on behalf of an authenticated user, leading to a compromise of data integrity. The vulnerability impacts versions of the application up to and including UIS4H 109. A patch is available, resolving the issue.
The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate, authenticated user. By tricking a user into clicking a crafted link or visiting a malicious website, the attacker can execute state-changing actions within the SAP Fiori App Intercompany Balance Reconciliation. This could involve unauthorized modifications to financial data, creation of fraudulent transactions, or other actions that compromise the integrity of the system. While the vulnerability does not directly impact confidentiality or availability, the potential for data manipulation poses a significant risk to financial reporting and operational processes. Exploitation could lead to inaccurate financial statements and potential regulatory non-compliance.
CVE-2026-0493 was publicly disclosed on January 13, 2026. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk. There are currently no publicly known proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of this writing. The relatively low CVSS score and lack of public exploits suggest a lower probability of immediate exploitation, but proactive mitigation is still recommended.
Organizations utilizing the SAP Fiori App Intercompany Balance Reconciliation application, particularly those running versions prior to 4.0.1, are at risk. This includes companies with complex intercompany transactions and those relying on accurate financial reporting. Shared hosting environments where multiple tenants share the same SAP instance may also be vulnerable if proper isolation measures are not in place.
• sap: Examine SAP application logs for unusual request patterns, particularly those involving Intercompany Balance Reconciliation functionality. Look for requests originating from unexpected IP addresses or user agents.
zgrep "Intercompany Balance Reconciliation" /var/log/sap/app/<SID>/<instance>/trace.txtdisclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0493 is to upgrade to SAP Fiori App (Intercompany Balance Reconciliation) version 4.0.1 or later. Prior to upgrading, it is crucial to review SAP's upgrade documentation and test the upgrade in a non-production environment to ensure compatibility and avoid disruptions. As a temporary workaround, implement strict input validation and output encoding within the application to minimize the risk of CSRF attacks. Consider implementing CSRF tokens or other anti-CSRF mechanisms to protect sensitive actions. Regularly review application logs for suspicious activity and implement robust access controls to limit user privileges.
Aplique la nota de seguridad SAP 3655229 para corregir la vulnerabilidad CSRF. Consulte la documentación de SAP para obtener instrucciones detalladas sobre cómo aplicar parches y actualizaciones de seguridad en su entorno SAP Fiori.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0493 is a Cross-Site Request Forgery (CSRF) vulnerability in the SAP Fiori App Intercompany Balance Reconciliation, allowing attackers to perform unauthorized actions.
You are affected if you are using SAP Fiori App (Intercompany Balance Reconciliation) version UIS4H 109 or earlier.
Upgrade to version 4.0.1 or later. Review SAP's upgrade documentation and test thoroughly before applying the patch.
There are currently no publicly known active exploitation campaigns for CVE-2026-0493.
Refer to the official SAP Security Notes for detailed information and remediation steps. Check the SAP Support Portal for the latest advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.