Skip links
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Note 3703856: Missing Authorization Check (CVE-2026-24309)

SAP Security Note - Patch Advisory

SAP Note 3703856 fixes a missing authorization check in the SAP NetWeaver Application Server for ABAP. Before the fix, an authenticated user could reach a specific database-monitoring function and change entries in the ABAP system's database configuration table without holding the right administrative authorization. SAP released the correction on 10 March 2026, and every affected system should apply it.

This one started on our side of the fence: the RedRays research team identified the missing check while reviewing this function with the RedRays ABAP Code Scanner, our static-analysis tool for custom and standard ABAP code, and SAP subsequently closed the gap in this note.

At a glance

SAP Note3703856
CVECVE-2026-24309
Vulnerability classMissing authorization check
ComponentBC-DB-ORA-CCM (Oracle CCMS database monitors)
Affected softwareSAP_BASIS 700 - 702, 731, 740, 750 - 816
Released10 March 2026
CVSS v3.0 base score6.4 - Medium
Severity impactIntegrity: Low - Availability: Low - Confidentiality: None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

What was the issue

The affected function belongs to the Oracle database monitoring area (CCMS) within SAP_BASIS. Because it did not enforce an authorization check for write access, an authenticated attacker with only low privileges could call the function module to read, modify, or insert entries in the database configuration table of the ABAP system. In other words, the code trusted that anyone able to reach the function was allowed to change these database settings, rather than verifying that the caller actually held the required administrative authorization.

The practical risk is a content-integrity and availability problem. Unauthorized changes to the database configuration could reduce system performance or cause interruptions to the ABAP system. SAP rates the impact as low for both integrity and availability, with no effect on confidentiality - the issue is about unwanted writes to configuration data, not about reading sensitive information. The Scope is rated as Changed because the affected function can influence the underlying database beyond the application component itself, which is what lifts the CVSS base score to 6.4 (Medium). No user interaction is required, and the flaw is reachable over the network by an authenticated user.

The vulnerable code vs. the fix

The gap sits in the function module DDIC_TABLESPACE_UPDATE_ORA (function group SDBR), the Oracle CCMS routine SAP_BASIS uses to write tablespace entries into the database configuration table.

VULNERABLE
* Initialisierungen
[ ... unchanged code ... ]
    ENDIF.
  ENDIF.
ENDFUNCTION.
FIXED
AUTHORITY-CHECK object 'S_RZL_ADM' id 'ACTVT' field '01'.
IF sy-subrc = 0.

* Initialisierungen
[ ... unchanged code ... ]
    ENDIF.
  ENDIF.

  ELSE.
    message e208(00) with 'Function requires authorization object S_RZL_ADM 01'(004).
  ENDIF.
ENDFUNCTION.

How to fix it

Apply SAP Note 3703856. The correction implements the missing authorization check so that write access to the database configuration is now verified before the operation runs. Depending on your maintenance strategy, you can either import the relevant Support Package or apply the correction instructions referenced in the note.

The note covers a wide SAP_BASIS range, so confirm your exact release and target the matching Support Package level:

SAP_BASIS releaseFixed in Support Package
731SAPKB73138
740SAPKB74035
750SAPK-75035INSAPBASIS
752SAPK-75218INSAPBASIS
753SAPK-75316INSAPBASIS
754SAPK-75414INSAPBASIS
755SAPK-75512INSAPBASIS
756SAPK-75610INSAPBASIS
757SAPK-75708INSAPBASIS
758SAPK-75806INSAPBASIS
816SAPK-81602INSAPBASIS

For older releases in the 700 - 702 range where a Support Package may not be offered, apply the correction instructions attached to the note. As always, test the change in a non-production system first, then roll it out through your regular transport path.

The RedRays ABAP Code Scanner is the tool that first flagged this missing-authorization-check pattern - the same class of gap SAP closed in note 3703856 - and it keeps checking your custom and standard ABAP code for it long after any single patch cycle ends.

Why it still matters after the patch

Missing-authorization-check notes are among the most common findings in SAP Security Patch Day. They are easy to overlook because they do not break anything visible - the function keeps working, it simply stops enforcing who is allowed to use it. That makes disciplined patch verification, not just patch deployment, the difference between a closed gap and one that lingers for months across dozens of systems.

Catch missing authorization checks like this one before SAP has to

A function that trusts the caller instead of checking their authorization is exactly the class of bug the RedRays ABAP Code Scanner is built to catch. It scans your custom and standard ABAP code directly in your landscape and flags gaps like the one behind note 3703856 automatically, well before they turn into a Security Note.

Explore ABAP Code Scanner

Reference: SAP Security Note 3703856 - CVE-2026-24309 - released 10 March 2026. This vulnerability was identified by the RedRays research team using the RedRays ABAP Code Scanner, and SAP addressed it in this note. This advisory includes only the short, minimal code excerpt above illustrating the specific fix - not the full correction instruction.

This post is provided for informational purposes based on SAP's published security note and is not affiliated with or endorsed by SAP SE. SAP and SAP NetWeaver are trademarks of SAP SE.

Explore More