Platform
sap
Component
sap-business-planning-and-consolidation
Fixed in
810.0.1
4.0.1
750.0.1
752.0.1
753.0.1
754.0.1
755.0.1
756.0.1
757.0.1
758.0.1
816.0.1
CVE-2026-27681 describes a critical SQL Injection vulnerability affecting SAP Business Planning and Consolidation and SAP Business Warehouse. This flaw allows an authenticated attacker to execute arbitrary SQL statements, potentially leading to unauthorized access, modification, or deletion of sensitive data. The vulnerability impacts versions 8.10–SAP_BW 750, and a patch is available from SAP.
The impact of CVE-2026-27681 is severe. Successful exploitation allows an attacker to bypass authorization checks and directly manipulate the underlying database. This could result in the theft of confidential business data, including financial records, customer information, and strategic plans. Attackers could also modify data to disrupt operations or inject malicious code. The ability to delete data represents a significant risk of data loss and system downtime. Given the sensitive nature of data typically stored within SAP Business Planning and Consolidation and SAP Business Warehouse, the potential for widespread damage is substantial.
CVE-2026-27681 was publicly disclosed on April 14, 2026. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been released as of this writing, the ease of SQL injection exploitation suggests that it is likely to become a target for attackers. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27681 is to apply the security patch released by SAP. Consult the SAP Security Notes for specific instructions and compatibility information. If immediate patching is not feasible, consider implementing strict input validation on all user-supplied data to prevent malicious SQL code from being injected. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Regularly review database access permissions and ensure that users only have the minimum necessary privileges.
Apply SAP security patch 3719353 to mitigate the (SQL Injection) vulnerability. This patch corrects the authorization checks deficiencies that allow the execution of malicious SQL statements, thus protecting the confidentiality, integrity, and availability of system data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27681 is a critical SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse, allowing attackers to execute SQL commands and potentially access or modify sensitive data.
If you are using SAP Business Planning and Consolidation or SAP Business Warehouse versions 8.10–SAP_BW 750, you are potentially affected and should immediately assess your systems.
Apply the security patch released by SAP. Consult the SAP Security Notes for specific instructions and compatibility information.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official SAP Security Notes published on the SAP Support Portal for detailed information and remediation steps.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.