Skip links
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Note 3704740: Missing Authorization Check (CVE-2026-27688)

SAP Security Note - Deep Dive

SAP Note 3704740 closes a missing authorization check in SAP NetWeaver Application Server for ABAP that let an authenticated user read internal database log files they had no business seeing. SAP released the fix on 10 March 2026 and assigned it CVE-2026-27688. Here is what the note covers, who is affected, and how to remediate.

That gap did not come from an outside audit: the RedRays research team found it with the RedRays ABAP Code Scanner, our static-analysis engine for custom and standard ABAP code, and SAP closed it in this note.

CVSS 5.0 - Medium Missing Authorization Check CVE-2026-27688

At a glance

SAP Note
3704740
CVE
CVE-2026-27688
Component
BC-DB-SDBDatabase Interface / MaxDB (SAP_BASIS)
Vulnerability class
Missing authorization check
CVSS v3.0 base score
5.0 (Medium)AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Released
10 March 2026
Affected SAP_BASIS releases
700 - 702, 710 - 711, 730, 731, 740, and 750 through 816

What was the issue

The affected code path lives in the MaxDB / Database Interface layer of SAP_BASIS (component BC-DB-SDB), which ships as part of every SAP NetWeaver Application Server for ABAP system. A specific remote-enabled function module exposed Database Analyzer log file content without first verifying that the caller was actually authorized to read it. In other words, the read operation trusted that anyone able to invoke the function module was entitled to the data, rather than enforcing an explicit authorization check.

Per SAP's own assessment, an authenticated attacker holding ordinary user privileges - and the ability to execute the relevant function module - could reach these log files and read information that would normally be restricted. The CVSS vector reflects a network-reachable, low-complexity issue that requires low privileges and no user interaction, with a changed scope and a limited impact on confidentiality only. Integrity and availability of the system are not affected, which is why SAP scored it 5.0 (Medium) rather than in the high or critical range. Database Analyzer logs can nonetheless surface operational detail about the system, so exposure to unauthorized users is a legitimate confidentiality concern.

The vulnerable code vs. the fix

The corrected logic sits in function module GET_FILE_SDB (function group SADY), the RFC-enabled module the Database Analyzer uses to read log files - the note replaces its authorization check with a stricter one.

VULNERABLE
DATA: caller_in_same_system.
CALL FUNCTION 'RFC_WITHIN_SAME_SYSTEM'
  IMPORTING
    caller_in_same_system     = caller_in_same_system
  EXCEPTIONS
    system_call_not_supported = 1
    no_rfc_communication      = 2
    internal_error            = 3.
IF ( sy-subrc = 0 AND caller_in_same_system = 'N' ) OR ( sy-subrc = 3 ).
FIXED
DATA lv_external_direct   TYPE sap_bool.
DATA lv_too_old           TYPE flag.

TRY.
    CALL METHOD ('CL_RFC')=>('CHECK_RFC_EXTERNAL_DIRECT')
      RECEIVING
        direct_external_call    = lv_external_direct
      EXCEPTIONS
        kernel_too_old = 1
        unexpected_error = 2
        OTHERS = 3.
    IF sy-subrc = 1.
*     Kernel prerequisite not fulfilled (see note 1882417)
      lv_too_old = abap_true.
    ENDIF.
  CATCH cx_sy_dyn_call_illegal_class
        cx_sy_dyn_call_illegal_method.
*   Class or method does not exist. ABAP prerequisite not fulfilled (see note 1882417)
    lv_too_old = abap_true.
ENDTRY.

IF lv_too_old = abap_true.
*  Prerequisite not fulfilled (see note 1882417)
  raise kernel_too_old.
ENDIF.

IF lv_external_direct = abap_true.
*  Call was performed via direct external RFC (other system, client or user)
The RedRays research team identified this missing authorization check with the RedRays ABAP Code Scanner, and SAP fixed it in this note. To keep the focus on the advisory itself, we show only the short, minimal code excerpt above that illustrates the specific fix - not exploit steps, proof-of-concept detail, or the full correction instruction.

How to fix it

The correction implements a proper authorization check for read access on the affected function, so that log file content is only returned to callers who are entitled to it. To remediate:

  • Apply SAP Note 3704740 - either by importing the referenced Support Package for your SAP_BASIS release, or by applying the correction instructions delivered with the note where a Support Package is not yet available.
  • Confirm your SAP_BASIS release is in scope - the note covers 700 - 702, 710 - 711, 730, 731, 740, and 750 through 816. If you run any of these, treat the patch as in-scope.
  • Bring systems to the fixed Support Package level - SAP lists the target Support Packages per release (for example, the SAPKB731xx / SAPKB740xx lines for 731 and 740, and the SAPK-...INSAPBASIS packages for the 750 - 816 range). Match your release to the level named in the note.
  • Re-check custom RFC exposure - review which users and interfaces can reach the affected function module, and tighten execution authorizations as part of your normal least-privilege hygiene.

Because this is a patch-and-configuration issue in SAP's own standard code rather than a defect in your custom developments, the fastest path is simply keeping SAP_BASIS current with SAP's Security Patch Day releases. It is the same kind of missing-authorization-check pattern the RedRays ABAP Code Scanner is built to catch, which is exactly why our research team found this one before most customers had ever run against the affected function.

Catch missing authorization checks before they become a Security Note

A missing authorization check like the one behind CVE-2026-27688 is exactly the class of bug the RedRays ABAP Code Scanner is built to catch - it scans your custom and standard ABAP code for gaps like this automatically, so they turn up in your own review instead of in a future SAP Security Note.

Explore ABAP Code Scanner
Reference: SAP Security Note 3704740 - "[CVE-2026-27688] Missing Authorization check in SAP NetWeaver Application Server for ABAP", component BC-DB-SDB, released 10 March 2026. This vulnerability was identified by the RedRays research team using the RedRays ABAP Code Scanner. Always validate applicability against your own configuration; the CVSS base score is an estimate and does not replace your own risk assessment.

This article covers a vulnerability found by the RedRays research team with the RedRays ABAP Code Scanner and fixed by SAP in the note referenced above. It includes only the short, minimal code excerpt above illustrating the specific fix - not the full correction text. SAP and NetWeaver are trademarks of SAP SE.

Explore More