SAP Note 3703856 fixes a missing authorization check in the SAP NetWeaver Application Server for ABAP. Before the fix, an authenticated user could reach a specific database-monitoring function and change entries in the ABAP system's database configuration table without holding the right administrative authorization. SAP released the correction on 10 March 2026, and every affected system should apply it.
This one started on our side of the fence: the RedRays research team identified the missing check while reviewing this function with the RedRays ABAP Code Scanner, our static-analysis tool for custom and standard ABAP code, and SAP subsequently closed the gap in this note.
At a glance
What was the issue
The affected function belongs to the Oracle database monitoring area (CCMS) within SAP_BASIS. Because it did not enforce an authorization check for write access, an authenticated attacker with only low privileges could call the function module to read, modify, or insert entries in the database configuration table of the ABAP system. In other words, the code trusted that anyone able to reach the function was allowed to change these database settings, rather than verifying that the caller actually held the required administrative authorization.
The practical risk is a content-integrity and availability problem. Unauthorized changes to the database configuration could reduce system performance or cause interruptions to the ABAP system. SAP rates the impact as low for both integrity and availability, with no effect on confidentiality - the issue is about unwanted writes to configuration data, not about reading sensitive information. The Scope is rated as Changed because the affected function can influence the underlying database beyond the application component itself, which is what lifts the CVSS base score to 6.4 (Medium). No user interaction is required, and the flaw is reachable over the network by an authenticated user.
The vulnerable code vs. the fix
The gap sits in the function module DDIC_TABLESPACE_UPDATE_ORA (function group SDBR), the Oracle CCMS routine SAP_BASIS uses to write tablespace entries into the database configuration table.
VULNERABLE* Initialisierungen
[ ... unchanged code ... ]
ENDIF.
ENDIF.
ENDFUNCTION.
FIXED
AUTHORITY-CHECK object 'S_RZL_ADM' id 'ACTVT' field '01'.
IF sy-subrc = 0.
* Initialisierungen
[ ... unchanged code ... ]
ENDIF.
ENDIF.
ELSE.
message e208(00) with 'Function requires authorization object S_RZL_ADM 01'(004).
ENDIF.
ENDFUNCTION.
How to fix it
Apply SAP Note 3703856. The correction implements the missing authorization check so that write access to the database configuration is now verified before the operation runs. Depending on your maintenance strategy, you can either import the relevant Support Package or apply the correction instructions referenced in the note.
The note covers a wide SAP_BASIS range, so confirm your exact release and target the matching Support Package level:
| SAP_BASIS release | Fixed in Support Package |
|---|---|
| 731 | SAPKB73138 |
| 740 | SAPKB74035 |
| 750 | SAPK-75035INSAPBASIS |
| 752 | SAPK-75218INSAPBASIS |
| 753 | SAPK-75316INSAPBASIS |
| 754 | SAPK-75414INSAPBASIS |
| 755 | SAPK-75512INSAPBASIS |
| 756 | SAPK-75610INSAPBASIS |
| 757 | SAPK-75708INSAPBASIS |
| 758 | SAPK-75806INSAPBASIS |
| 816 | SAPK-81602INSAPBASIS |
For older releases in the 700 - 702 range where a Support Package may not be offered, apply the correction instructions attached to the note. As always, test the change in a non-production system first, then roll it out through your regular transport path.
Why it still matters after the patch
Missing-authorization-check notes are among the most common findings in SAP Security Patch Day. They are easy to overlook because they do not break anything visible - the function keeps working, it simply stops enforcing who is allowed to use it. That makes disciplined patch verification, not just patch deployment, the difference between a closed gap and one that lingers for months across dozens of systems.
Catch missing authorization checks like this one before SAP has to
A function that trusts the caller instead of checking their authorization is exactly the class of bug the RedRays ABAP Code Scanner is built to catch. It scans your custom and standard ABAP code directly in your landscape and flags gaps like the one behind note 3703856 automatically, well before they turn into a Security Note.
Explore ABAP Code ScannerReference: SAP Security Note 3703856 - CVE-2026-24309 - released 10 March 2026. This vulnerability was identified by the RedRays research team using the RedRays ABAP Code Scanner, and SAP addressed it in this note. This advisory includes only the short, minimal code excerpt above illustrating the specific fix - not the full correction instruction.
This post is provided for informational purposes based on SAP's published security note and is not affiliated with or endorsed by SAP SE. SAP and SAP NetWeaver are trademarks of SAP SE.

