MEDIUMCVE-2026-0493CVSS 4.3

CVE-2026-0493: CSRF in SAP Fiori App (Intercompany Balance)

Platform

sap

Component

sap-fiori-app-intercompany-balance-reconciliation

Fixed in

70.0.1

600.0.1

700.0.1

800.0.1

900.0.1

901.0.1

902.0.1

4.0.1

103.0.1

104.0.1

105.0.1

106.0.1

107.0.1

108.0.1

109.0.1

4.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-0493 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the SAP Fiori App Intercompany Balance Reconciliation. This flaw allows an attacker to potentially trigger unintended actions on behalf of an authenticated user, leading to a compromise of data integrity. The vulnerability impacts versions of the application up to and including UIS4H 109. A patch is available, resolving the issue.

Impact and Attack Scenarios

The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate, authenticated user. By tricking a user into clicking a crafted link or visiting a malicious website, the attacker can execute state-changing actions within the SAP Fiori App Intercompany Balance Reconciliation. This could involve unauthorized modifications to financial data, creation of fraudulent transactions, or other actions that compromise the integrity of the system. While the vulnerability does not directly impact confidentiality or availability, the potential for data manipulation poses a significant risk to financial reporting and operational processes. Exploitation could lead to inaccurate financial statements and potential regulatory non-compliance.

Exploitation Context

CVE-2026-0493 was publicly disclosed on January 13, 2026. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk. There are currently no publicly known proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of this writing. The relatively low CVSS score and lack of public exploits suggest a lower probability of immediate exploitation, but proactive mitigation is still recommended.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

Affected Software

Componentsap-fiori-app-intercompany-balance-reconciliation

VendorSAP_SE

Affected rangeFixed in

UIAPFI70 500 – UIAPFI70 50070.0.1

600 – 600600.0.1

700 – 700700.0.1

800 – 800800.0.1

900 – 900900.0.1

901 – 901901.0.1

902 – 902902.0.1

S4CORE 102 – S4CORE 1024.0.1

103 – 103103.0.1

104 – 104104.0.1

105 – 105105.0.1

106 – 106106.0.1

107 – 107107.0.1

108 – 108108.0.1

109 – 109109.0.1

UIS4H 109 – UIS4H 1094.0.1

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2025-12-09
Published2026-01-13
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-0493 is to upgrade to SAP Fiori App (Intercompany Balance Reconciliation) version 4.0.1 or later. Prior to upgrading, it is crucial to review SAP's upgrade documentation and test the upgrade in a non-production environment to ensure compatibility and avoid disruptions. As a temporary workaround, implement strict input validation and output encoding within the application to minimize the risk of CSRF attacks. Consider implementing CSRF tokens or other anti-CSRF mechanisms to protect sensitive actions. Regularly review application logs for suspicious activity and implement robust access controls to limit user privileges.

How to fix

Apply SAP security note 3655229 to remediate the CSRF vulnerability. Consult SAP documentation for detailed instructions on how to apply patches and security updates in your SAP Fiori environment.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-0493 — CSRF in SAP Fiori App (Intercompany Balance)?

CVE-2026-0493 is a Cross-Site Request Forgery (CSRF) vulnerability in the SAP Fiori App Intercompany Balance Reconciliation, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2026-0493 in SAP Fiori App (Intercompany Balance)?

You are affected if you are using SAP Fiori App (Intercompany Balance Reconciliation) version UIS4H 109 or earlier.

How do I fix CVE-2026-0493 in SAP Fiori App (Intercompany Balance)?

Upgrade to version 4.0.1 or later. Review SAP's upgrade documentation and test thoroughly before applying the patch.

Is CVE-2026-0493 being actively exploited?

There are currently no publicly known active exploitation campaigns for CVE-2026-0493.

Where can I find the official SAP advisory for CVE-2026-0493?

Refer to the official SAP Security Notes for detailed information and remediation steps. Check the SAP Support Portal for the latest advisory.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs