Skip links
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Note 3694383: Missing Authorization Check (CVE-2026-24310)

SAP Note 3694383 closes a missing authorization check in SAP NetWeaver Application Server for ABAP. Before the fix, an authenticated user could call a specific ABAP function module and read sensitive details from the ABAP system's database catalog without the proper authorization being enforced first. SAP shipped the correction on 10 March 2026, as part of that month's SAP Security Patch Day.

This one has a bit of a backstory for us: the RedRays research team identified this exact issue while running the RedRays ABAP Code Scanner, our static-analysis tool for custom and standard ABAP code, and SAP subsequently fixed it in this Note.

Tracked as CVE-2026-24310 · Component BC-DB-INF · Released 10 March 2026 · Fixed in SAP Note 3694383

At a glance

SAP Note3694383
CVECVE-2026-24310
CVSS v3.0 base score3.5  Low
Vulnerability classMissing authorization check
Affected productSAP NetWeaver AS for ABAP
ComponentBC-DB-INF (Database Interface)
Affected releases (SAP_BASIS)702, 731, 740, and 750 through 816
CVSS vectorCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

What was the issue

The vulnerability is a classic missing authorization check. A particular function module in the ABAP database interface layer (the BC-DB-INF component, tied to the Informix database platform) could be executed by any authenticated user, but the code did not first verify that the caller was actually authorized to run it. As a result, the function returned information drawn from the ABAP system's database catalog to callers who should not have had access to it.

Per SAP's own assessment, the impact is limited to confidentiality, and only at a low level - there is no effect on the integrity or availability of the system. The CVSS vector reflects that: the attack can be launched over the network (AV:N) but requires an authenticated session with low privileges (PR:L) and has high attack complexity (AC:H), so it is not a trivial, unauthenticated exploit. The scope is marked as changed (S:C), meaning the exposed information can cross the boundary of the immediately affected component. Taken together, SAP rates it 3.5 out of 10 - a Low-severity information disclosure issue. In line with responsible advisory practice, this write-up stays at the level of vulnerability class and impact and does not include exploitation steps.

The vulnerable code vs. the fix

The change sits in function module DB_INF_DB_SPACE_ALL_DETAIL (function group STD2, part of SAP_BASIS), which reports Informix database space and catalog details.

VULNERABLE
IF SY-DBSYS(3) <> 'INF'.
  RAISE WRONG_DATABASE.
ENDIF.

* authority-check object 'S_ADMI_FCD'
*         id 'S_ADMI_FCD' field 'ST0R'.
* if sy-subrc = 0 .
*   Fill monikey.
  CLEAR MONIKEY.
  MOVE '--' TO MONIKEY-SYSTEM.
  MOVE SY-SYSID TO MONIKEY-DB.
  MOVE  'snapshot 1 ' TO MONIKEY-FILLER.

  IMPORT DATETIME DBSPACES FROM DATABASE MONI(DB) ID MONIKEY.
FIXED
RAISE WRONG_DATABASE. " Informix is no longer supported

How to fix it

The remediation is straightforward: apply SAP Note 3694383. After the correction, the affected function enforces a proper authorization check before it will run, so unauthorized callers are blocked from reading the catalog information.

  1. Import the Support Package that contains the fix for your SAP_BASIS release (see the table below), or
  2. Implement the correction instructions manually through the Note Assistant transaction (SNOTE) if you cannot yet move to the target Support Package, then
  3. Retest the affected function to confirm the authorization check is now enforced for non-privileged users.

SAP delivered corrections across a wide range of SAP_BASIS releases, so most productive ABAP systems are in scope. The minimum Support Package levels that carry the fix are:

SAP_BASIS releaseSupport Package with fix
731SAPKB73138
740SAPKB74035
750SAPK-75035INSAPBASIS
752SAPK-75218INSAPBASIS
753SAPK-75316INSAPBASIS
754SAPK-75414INSAPBASIS
755SAPK-75512INSAPBASIS
756SAPK-75610INSAPBASIS
757SAPK-75708INSAPBASIS
758SAPK-75806INSAPBASIS
816SAPK-81602INSAPBASIS

Releases 702 and 731 are also listed as affected; for those, apply the correction instructions referenced in the note if the corresponding Support Package is not available in your landscape. Always confirm the exact target level for your system against the note itself before scheduling the change.

Low severity does not mean "ignore it." Information disclosure from the database catalog is exactly the kind of foothold that helps an attacker map a system and chain toward something more serious, and missing-authorization findings tend to cluster - where one function skipped its check, others often did too. Keeping current with the monthly SAP Security Patch Day is the reliable way to stay ahead of them. This is precisely the class of bug the RedRays ABAP Code Scanner is built to catch through static analysis - a missing authorization check sitting quietly in ABAP code - which is how this one came to light before most landscapes had even seen the Note.

Catch missing authorization checks before SAP has to

CVE-2026-24310 started as a missing authorization check in ABAP code - exactly the pattern the RedRays ABAP Code Scanner is built to catch automatically in custom and standard ABAP, well before it ever turns into an SAP Security Note.

Explore ABAP Code Scanner

This vulnerability was identified by the RedRays research team using the RedRays ABAP Code Scanner, and SAP subsequently addressed it in SAP Note 3694383. Beyond that, this article summarizes publicly assigned CVE information and SAP's own severity rating for awareness purposes; it is an independent advisory summary and is not affiliated with or endorsed by SAP SE. Customers should always rely on the official SAP Note 3694383 in SAP for Me and their own risk assessment when planning remediation. SAP, SAP NetWeaver, and SAP_BASIS are trademarks of SAP SE.

Explore More