Vulnerability Summary
Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.
CVSS v3.0 Assessment
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Reason and Prerequisites
The affected functionality is only vulnerable if the configuration regarding authorization object S_RFC is incorrect.
Technical Details
The vulnerability allows authenticated attackers to inject malicious SQL commands through insufficiently validated user input. The affected function modules in function group FGL_BCF are intended for internal system use only as part of parallel processing operations.
When authorization object S_RFC is misconfigured, these internal function modules become accessible via external RFC interfaces, creating an attack vector for SQL injection attacks that can:
- Read sensitive financial data from the database
- Modify critical general ledger records
- Delete accounting data and configurations
- Execute administrative database operations
- Compromise the entire database backend
Affected Software Components
Solution
This issue is fixed by generating SQL statements internally within the function module using validated parameters, which prevents user-controlled input from being injected into the query.
There is no impact on existing functionality after implementing the security note. Please implement the corresponding Support Package or the correction instructions provided in SAP Note #3687749.
Workaround
Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends you apply the corrections outlined in the security note.
Mitigation steps:
- Review and restrict the authorization object S_RFC to ensure that no external access is permitted to function modules within the function group FGL_BCF
- These function modules are intended to be invoked only internally by the system as part of parallel processing and must not be callable via external RFC interfaces
- Audit current S_RFC assignments across all user roles and profiles
- Remove any unnecessary RFC authorizations that expose internal function modules
Additional Resources
Please refer to FAQ 3700593 for common questions and answers in the context of this SAP Security Note.
Technical Implementation Details
The security patch modifies the following ABAP repository objects to remediate the vulnerability:
The patch implements parameterized SQL query generation and removes dynamic SQL construction that was vulnerable to injection attacks. Additionally, the RFC access to these internal function modules is restricted to prevent external invocation.
Disclosure Date: January 13, 2026 SAP Security Patch Day
For more information, visit SAP Security Notes
