Platform
sap
Component
sap-fiori-app-intercompany-balance-reconciliation
Fixed in
70.0.1
600.0.1
700.0.1
800.0.1
900.0.1
901.0.1
902.0.1
4.0.1
103.0.1
104.0.1
105.0.1
106.0.1
107.0.1
108.0.1
109.0.1
4.0.1
CVE-2026-0493 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the SAP Fiori App Intercompany Balance Reconciliation. This flaw allows an attacker to potentially trigger unintended actions on behalf of an authenticated user, leading to a compromise of data integrity. The vulnerability impacts versions of the application up to and including UIS4H 109. A patch is available, resolving the issue.
The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate, authenticated user. By tricking a user into clicking a crafted link or visiting a malicious website, the attacker can execute state-changing actions within the SAP Fiori App Intercompany Balance Reconciliation. This could involve unauthorized modifications to financial data, creation of fraudulent transactions, or other actions that compromise the integrity of the system. While the vulnerability does not directly impact confidentiality or availability, the potential for data manipulation poses a significant risk to financial reporting and operational processes. Exploitation could lead to inaccurate financial statements and potential regulatory non-compliance.
CVE-2026-0493 was publicly disclosed on January 13, 2026. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk. There are currently no publicly known proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of this writing. The relatively low CVSS score and lack of public exploits suggest a lower probability of immediate exploitation, but proactive mitigation is still recommended.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0493 is to upgrade to SAP Fiori App (Intercompany Balance Reconciliation) version 4.0.1 or later. Prior to upgrading, it is crucial to review SAP's upgrade documentation and test the upgrade in a non-production environment to ensure compatibility and avoid disruptions. As a temporary workaround, implement strict input validation and output encoding within the application to minimize the risk of CSRF attacks. Consider implementing CSRF tokens or other anti-CSRF mechanisms to protect sensitive actions. Regularly review application logs for suspicious activity and implement robust access controls to limit user privileges.
Apply SAP security note 3655229 to remediate the CSRF vulnerability. Consult SAP documentation for detailed instructions on how to apply patches and security updates in your SAP Fiori environment.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0493 is a Cross-Site Request Forgery (CSRF) vulnerability in the SAP Fiori App Intercompany Balance Reconciliation, allowing attackers to perform unauthorized actions.
You are affected if you are using SAP Fiori App (Intercompany Balance Reconciliation) version UIS4H 109 or earlier.
Upgrade to version 4.0.1 or later. Review SAP's upgrade documentation and test thoroughly before applying the patch.
There are currently no publicly known active exploitation campaigns for CVE-2026-0493.
Refer to the official SAP Security Notes for detailed information and remediation steps. Check the SAP Support Portal for the latest advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.