CVE-2023-26460— Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-26460
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP NetWeaver Application Server 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP NetWeaver Application Server是德国思爱普(SAP)公司的一款应用程序服务器。 SAP NetWeaver Application Server 7.50版本存在访问控制错误漏洞,该漏洞源于对需要用户身份的功能不执行任何身份验证检查。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP | NetWeaver AS for Java | 7.50 | - |
II. Public POCs for CVE-2023-26460
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-26460
请登录查看更多情报信息。
Same Patch Batch · SAP · 2023-03-14 · 21 CVEs total
| CVE-2023-23857 | 9.9 CRITICAL | Improper Access Control in SAP NetWeaver AS for Java |
| CVE-2023-25616 | 9.9 CRITICAL | Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) |
| CVE-2023-27500 | 9.6 CRITICAL | Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform |
| CVE-2023-27269 | 9.6 CRITICAL | Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform |
| CVE-2023-25617 | 9.0 CRITICAL | OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform |
| CVE-2023-27893 | 8.8 HIGH | Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) |
| CVE-2023-27501 | 8.7 HIGH | Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform |
| CVE-2023-26459 | 7.4 HIGH | Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for ABAP and ABAP Pla |
| CVE-2023-27498 | 7.2 HIGH | Memory Corruption vulnerability in SAP Host Agent (SAPOSCOL) |
| CVE-2023-25615 | 6.8 MEDIUM | SQL Injection vulnerability in SAP ABAP Platform |
| CVE-2023-26461 | 6.8 MEDIUM | XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal) |
| CVE-2023-27896 | 6.5 MEDIUM | Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platfo |
| CVE-2023-27271 | 6.5 MEDIUM | Server Side Request Forgery (SSRF) in the SAP BusinessObjects Business Intelligence platfo |
| CVE-2023-27270 | 6.5 MEDIUM | Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform |
| CVE-2023-25618 | 6.5 MEDIUM | Denial of Service (DoS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform |
| CVE-2023-26457 | 6.1 MEDIUM | Cross-Site Scripting (XSS) vulnerability in SAP Content Server |
| CVE-2023-27895 | 6.1 MEDIUM | Information Disclosure vulnerability in SAP Authenticator for Android |
| CVE-2023-27268 | 5.3 MEDIUM | Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service) |
| CVE-2023-24526 | 5.3 MEDIUM | Improper Access Control in SAP NetWeaver AS Java (Classload Service) |
| CVE-2023-27894 | 5.0 MEDIUM | Sensitive Information Disclosure in the SAP BusinessObjects Business Intelligence platform |
IV. Related Vulnerabilities
Same vendor: SAP
- CVE-2023-29189
HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI) - CVE-2023-29187
DLL Hijacking vulnerability in SapSetup (Software Installati - CVE-2023-29186
Directory/Path Traversal vulnerability in SAP NetWeaver. - CVE-2023-29185
Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Busine - CVE-2023-29112
Code Injection vulnerability in SAP Application Interface Fr
Same weakness: CWE-284
- CVE-2026-45301
Open WebUI: Missing permission check in files API allows aut - CVE-2026-44556
Open WebUI: responses passthrough endpoint lacks access cont - CVE-2026-44774
Traefik: Gateway API TraefikService backend accepts rest@int - CVE-2025-0040
NXP JTAG-AXI访问控制漏洞 - CVE-2026-44478
hoppscotch: Unauthenticated Onboarding Config Disclosure via
V. Comments for CVE-2023-26460
No comments yet