SAP Note 3703385 closes a missing authorization check in the SAP Business Warehouse Service API. In affected systems an already authenticated user could reach a Remote Function Call (RFC) function module that did not consistently verify their permissions, opening the door to configuration and control changes they were never entitled to make. SAP shipped the fix on 10 March 2026.
This is one we know well: the underlying flaw was identified by the RedRays research team using the RedRays ABAP Code Scanner, our static-analysis engine for custom and standard ABAP code, and SAP addressed it in this note.
This write-up summarizes what the note addresses, which components and releases are in scope, and how to remediate it - at the level of a public patch advisory, with a short, minimal code excerpt further down illustrating the specific fix.
At a glance
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
DW4CORE 200
DW4CORE 300
DW4CORE 400
PI_BASIS 2006_1_700
PI_BASIS 701 - 702
PI_BASIS 730 - 731
PI_BASIS 740
SAP_BW 750 - 816
What was the issue
The SAP Business Warehouse Service API exposes RFC-callable function modules that drive data replication and load operations. The note describes a case where the authorization enforcement around some of these functions was inconsistent - certain scenarios let a caller carry out actions that should have required a specific authorization the caller did not actually hold. In other words, the permission check that is meant to gate the operation was not applied everywhere it needed to be.
Because the affected entry points are reachable over RFC across the network, an authenticated user with only low privileges could take advantage of the gap without any interaction from another user. The practical risk, per SAP's own assessment, is unauthorized configuration and control changes - for example, interfering with RFC destinations used for data-load connections or interrupting active processing. That maps to a low impact on data integrity and a high impact on availability, since disrupted request processing can lead to a denial of service. Confidentiality is not affected. The relatively high attack complexity is why the overall score lands in the Medium band at 5.9 rather than higher.
We are intentionally keeping this at the advisory level and are not publishing exploit steps or proof-of-concept detail.
The vulnerable code vs. the fix
The correction instruction for this note touches function module RO_SET_STOP (function group RSAP), the part of the BW Service API that stops an active extraction session - the two snippets below are reproduced exactly as SAP's correction instruction shows them, with nothing added and nothing else changed.
FUNCTION ro_set_stop.
DATA: l_s_stop TYPE rostop,
FUNCTION ro_set_stop.
AUTHORITY-CHECK OBJECT 'S_RO_OSOA'
ID 'OLTPSOURCE' DUMMY
ID 'OSOAAPCO' DUMMY
ID 'OSOAPART' FIELD 'DEFINITION'
ID 'ACTVT' FIELD '23'.
IF sy-subrc <> 0.
MESSAGE e003(sqf) WITH sy-uname 'MAINTAIN DEFINITON' 'S_RO_OSOA'.
ENDIF.
DATA: l_s_stop TYPE rostop,
How to fix it
The remediation is straightforward: apply SAP Note 3703385. The corrected code adds the missing authorization enforcement so that the relevant operations - such as modifying an RFC destination when setting up a new data-load connection, or interrupting an active session - are only permitted for callers who actually hold the required authorization.
Two paths, same outcome. You can either import the Support Package that contains this fix for your component version, or apply the Correction Instructions referenced in the note on systems that are not yet on that Support Package level. Choose whichever fits your maintenance strategy - the note lists the target Support Package for each affected release.
Practical steps for SAP Basis and security teams:
- Confirm whether your landscape runs any of the affected components and release levels listed above (DW4CORE, PI_BASIS, or SAP_BW).
- Import the Support Package that includes the fix, or implement the note's Correction Instructions if you cannot yet move to that Support Package.
- Note the prerequisite: on PI_BASIS 730 to 740 the related ODP data replication enhancement note is required before this correction.
- Review who holds broad RFC and BW Service API authorizations, and validate the fix in a non-production system before promoting it.
Missing authorization checks are one of the most common findings SAP resolves on Patch Day, and they are easy to lose track of across a large landscape with many components at different Support Package levels. It is also exactly the class of flaw the RedRays ABAP Code Scanner is built to catch in custom ABAP code, the same way our research team caught the gap this note fixes, so equivalent issues surface long before they turn into the next Patch Day note.
Missing authorization checks like this one are exactly what we scan for
A missing authorization check in a custom or standard ABAP function module, the same flaw class behind CVE-2026-27686, is precisely what the RedRays ABAP Code Scanner is built to catch. It analyzes your ABAP code base automatically and flags gaps like this one before they turn into the next SAP Security Note.
Explore ABAP Code ScannerThis vulnerability was identified by the RedRays research team using the RedRays ABAP Code Scanner, and SAP addressed it in Security Note 3703385 (component BC-BW, CVE-2026-27686). This advisory paraphrases the publicly relevant facts from that note for awareness purposes and includes only the short, minimal code excerpt above illustrating the specific fix - not the full correction instruction. Customers should always refer to the original note in the SAP Support Portal for authoritative guidance. RedRays is an independent SAP security vendor and is not affiliated with SAP SE.

