Platform
sap
Component
sap-s-4hana-private-cloud-and-on-premise-financials-general-ledger
Fixed in
4.0.1
103.0.1
104.0.1
105.0.1
106.0.1
107.0.1
108.0.1
109.0.1
CVE-2026-0501 represents a critical SQL Injection vulnerability affecting SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) version 102–S4CORE 102. This flaw allows an authenticated user to inject malicious SQL queries, potentially leading to unauthorized access and manipulation of sensitive data. The vulnerability was publicly disclosed on January 13, 2026, and a patch is expected to be released by SAP.
The impact of CVE-2026-0501 is severe due to the nature of SQL Injection. A successful exploit allows an attacker to bypass application security controls and directly interact with the underlying database. This could result in the unauthorized reading, modification, or deletion of financial data, including general ledger entries, account balances, and transaction records. The attacker could potentially gain complete control over the financial data within the SAP S/4HANA system, leading to significant financial losses, reputational damage, and regulatory non-compliance. The ability to modify data also opens the door for fraudulent transactions and manipulation of financial reports. This vulnerability shares similarities with other SQL Injection attacks where attackers have leveraged database access to compromise entire systems.
CVE-2026-0501 has been assigned a CVSS score of 9.9 (CRITICAL), indicating a high probability of exploitation. As of the public disclosure date (2026-01-13), there is no indication of active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the critical nature of the vulnerability suggests that it is likely to be developed and shared soon.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0501 is to upgrade to a patched version of SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) as soon as it becomes available. Until the patch is applied, consider implementing temporary workarounds such as restricting user access to sensitive financial data and implementing strict input validation on all user-supplied data. Web Application Firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor SAP system logs for suspicious SQL queries and unusual database activity. Review and strengthen authentication mechanisms to limit the number of authenticated users with access to the vulnerable functionality.
Aplicar las actualizaciones de seguridad proporcionadas por SAP para corregir la vulnerabilidad de inyección SQL. Consulte la nota SAP 3687749 para obtener más detalles e instrucciones específicas sobre cómo aplicar el parche correspondiente a su versión de SAP S/4HANA. Es crucial realizar pruebas exhaustivas en un entorno de desarrollo antes de aplicar las actualizaciones en producción.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0501 is a critical SQL Injection vulnerability in SAP S/4HANA Financials version 102–S4CORE 102, allowing authenticated users to execute malicious SQL queries and potentially access or modify sensitive financial data.
If you are running SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) version 102–S4CORE 102, you are potentially affected by this vulnerability. Check your SAP version against the affected versions listed in the advisory.
The recommended fix is to upgrade to a patched version of SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) as soon as it becomes available. Until then, implement temporary workarounds like restricting user access and strengthening input validation.
As of the public disclosure date, there is no confirmed evidence of active exploitation. However, the vulnerability's critical severity suggests it is likely to be targeted.
Refer to the official SAP Security Notes and Advisories on the SAP Support Portal for the latest information and patch details regarding CVE-2026-0501.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.