SAP Note 3694383 closes a missing authorization check in SAP NetWeaver Application Server for ABAP. Before the fix, an authenticated user could call a specific ABAP function module and read sensitive details from the ABAP system's database catalog without the proper authorization being enforced first. SAP shipped the correction on 10 March 2026, as part of that month's SAP Security Patch Day.
This one has a bit of a backstory for us: the RedRays research team identified this exact issue while running the RedRays ABAP Code Scanner, our static-analysis tool for custom and standard ABAP code, and SAP subsequently fixed it in this Note.
Tracked as CVE-2026-24310 · Component BC-DB-INF · Released 10 March 2026 · Fixed in SAP Note 3694383
At a glance
What was the issue
The vulnerability is a classic missing authorization check. A particular function module in the ABAP database interface layer (the BC-DB-INF component, tied to the Informix database platform) could be executed by any authenticated user, but the code did not first verify that the caller was actually authorized to run it. As a result, the function returned information drawn from the ABAP system's database catalog to callers who should not have had access to it.
Per SAP's own assessment, the impact is limited to confidentiality, and only at a low level - there is no effect on the integrity or availability of the system. The CVSS vector reflects that: the attack can be launched over the network (AV:N) but requires an authenticated session with low privileges (PR:L) and has high attack complexity (AC:H), so it is not a trivial, unauthenticated exploit. The scope is marked as changed (S:C), meaning the exposed information can cross the boundary of the immediately affected component. Taken together, SAP rates it 3.5 out of 10 - a Low-severity information disclosure issue. In line with responsible advisory practice, this write-up stays at the level of vulnerability class and impact and does not include exploitation steps.
The vulnerable code vs. the fix
The change sits in function module DB_INF_DB_SPACE_ALL_DETAIL (function group STD2, part of SAP_BASIS), which reports Informix database space and catalog details.
VULNERABLEIF SY-DBSYS(3) <> 'INF'.
RAISE WRONG_DATABASE.
ENDIF.
* authority-check object 'S_ADMI_FCD'
* id 'S_ADMI_FCD' field 'ST0R'.
* if sy-subrc = 0 .
* Fill monikey.
CLEAR MONIKEY.
MOVE '--' TO MONIKEY-SYSTEM.
MOVE SY-SYSID TO MONIKEY-DB.
MOVE 'snapshot 1 ' TO MONIKEY-FILLER.
IMPORT DATETIME DBSPACES FROM DATABASE MONI(DB) ID MONIKEY.
FIXED
RAISE WRONG_DATABASE. " Informix is no longer supported
How to fix it
The remediation is straightforward: apply SAP Note 3694383. After the correction, the affected function enforces a proper authorization check before it will run, so unauthorized callers are blocked from reading the catalog information.
- Import the Support Package that contains the fix for your SAP_BASIS release (see the table below), or
- Implement the correction instructions manually through the Note Assistant transaction (SNOTE) if you cannot yet move to the target Support Package, then
- Retest the affected function to confirm the authorization check is now enforced for non-privileged users.
SAP delivered corrections across a wide range of SAP_BASIS releases, so most productive ABAP systems are in scope. The minimum Support Package levels that carry the fix are:
| SAP_BASIS release | Support Package with fix |
|---|---|
| 731 | SAPKB73138 |
| 740 | SAPKB74035 |
| 750 | SAPK-75035INSAPBASIS |
| 752 | SAPK-75218INSAPBASIS |
| 753 | SAPK-75316INSAPBASIS |
| 754 | SAPK-75414INSAPBASIS |
| 755 | SAPK-75512INSAPBASIS |
| 756 | SAPK-75610INSAPBASIS |
| 757 | SAPK-75708INSAPBASIS |
| 758 | SAPK-75806INSAPBASIS |
| 816 | SAPK-81602INSAPBASIS |
Releases 702 and 731 are also listed as affected; for those, apply the correction instructions referenced in the note if the corresponding Support Package is not available in your landscape. Always confirm the exact target level for your system against the note itself before scheduling the change.
Low severity does not mean "ignore it." Information disclosure from the database catalog is exactly the kind of foothold that helps an attacker map a system and chain toward something more serious, and missing-authorization findings tend to cluster - where one function skipped its check, others often did too. Keeping current with the monthly SAP Security Patch Day is the reliable way to stay ahead of them. This is precisely the class of bug the RedRays ABAP Code Scanner is built to catch through static analysis - a missing authorization check sitting quietly in ABAP code - which is how this one came to light before most landscapes had even seen the Note.
Catch missing authorization checks before SAP has to
CVE-2026-24310 started as a missing authorization check in ABAP code - exactly the pattern the RedRays ABAP Code Scanner is built to catch automatically in custom and standard ABAP, well before it ever turns into an SAP Security Note.
Explore ABAP Code ScannerThis vulnerability was identified by the RedRays research team using the RedRays ABAP Code Scanner, and SAP subsequently addressed it in SAP Note 3694383. Beyond that, this article summarizes publicly assigned CVE information and SAP's own severity rating for awareness purposes; it is an independent advisory summary and is not affiliated with or endorsed by SAP SE. Customers should always rely on the official SAP Note 3694383 in SAP for Me and their own risk assessment when planning remediation. SAP, SAP NetWeaver, and SAP_BASIS are trademarks of SAP SE.

