CVE-2026-40132 Overview
CVE-2026-40132 is a missing authorization vulnerability in SAP Strategic Enterprise Management, specifically within the Scorecard Wizard component of Business Server Pages (BSP). An authenticated attacker can access information they are not authorized to view. The flaw also lets attackers modify default settings and value fields used in risk evaluations. These changes can falsely lower assessed risk levels, undermining the integrity of strategic risk reporting. The weakness is classified as [CWE-862] Missing Authorization and requires network access with low privileges.
Critical Impact
Authenticated attackers can read restricted data and tamper with risk evaluation value fields, producing misleading risk assessments that may influence executive and compliance decisions.
Affected Products
- SAP Strategic Enterprise Management (SAP SEM)
- Scorecard Wizard component within Business Server Pages (BSP)
- Refer to SAP Note #3721959 for the complete list of affected support packages
Discovery Timeline
- 2026-05-12 - CVE-2026-40132 published to the National Vulnerability Database
- 2026-05-12 - SAP Security Patch Day advisory published with SAP Note #3721959
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-40132
Vulnerability Analysis
The vulnerability resides in the Scorecard Wizard delivered through SAP Business Server Pages within SAP Strategic Enterprise Management. The Scorecard Wizard exposes BSP handlers that fail to enforce authorization checks before serving or modifying scorecard data. Any authenticated user with network access to the BSP application can invoke these handlers and interact with scorecards belonging to other users or organizational units.
Beyond read access, the missing check extends to write operations on value fields and default settings. An attacker can alter the inputs that feed strategic risk calculations. The application then computes risk scores based on tampered values, producing artificially low risk ratings. This affects confidentiality and integrity but does not impact availability.
Root Cause
The root cause is an absent authorization check ([CWE-862]) on Scorecard Wizard request handlers. The BSP application relies on authentication alone and does not validate whether the authenticated principal is permitted to view or modify the targeted scorecard objects and value fields.
Attack Vector
Exploitation requires network access to the SAP BSP endpoint and valid low-privileged credentials. No user interaction is needed. The attacker issues crafted HTTP requests to Scorecard Wizard URLs and supplies identifiers or value parameters for objects outside their assigned scope. The EPSS score is 0.008%, reflecting a low predicted likelihood of opportunistic exploitation, but the risk is elevated in environments where SEM data feeds executive risk reporting.
No public proof-of-concept exploit is available. The vulnerability is described in prose only; refer to the SAP Note #3721959 advisory for component-level technical details.
Detection Methods for CVE-2026-40132
Indicators of Compromise
- Unexpected HTTP requests to Scorecard Wizard BSP paths from user accounts that do not own the targeted scorecards
- Audit log entries showing modifications to scorecard value fields or default settings by non-owners
- Sudden downward shifts in calculated risk ratings without corresponding business activity
Detection Strategies
- Enable SAP Security Audit Log (SM19/RSAU_CONFIG) for BSP application access and configuration changes in the SEM namespace
- Correlate BSP HTTP access logs with SEM authorization assignments to identify cross-tenant or cross-unit access attempts
- Review change documents on scorecard objects for edits performed by accounts lacking the corresponding business role
Monitoring Recommendations
- Alert on repeated HTTP 200 responses to Scorecard Wizard endpoints originating from low-privileged service or test accounts
- Baseline normal Scorecard Wizard usage per user and flag deviations in request volume or target object IDs
- Forward SAP Web Dispatcher and ICM access logs to a centralized SIEM for cross-source correlation
How to Mitigate CVE-2026-40132
Immediate Actions Required
- Apply the SAP patch referenced in SAP Note #3721959 on all SAP SEM systems
- Audit recent changes to scorecard value fields and default settings to identify potential tampering
- Review BSP authorization roles assigned to non-administrative users and remove unnecessary access to the Scorecard Wizard
Patch Information
SAP released the fix as part of the May 2026 SAP Security Patch Day. Implement the corrections delivered in SAP Note #3721959 and consult the SAP Security Patch Day portal for the supported support package levels. Apply patches through standard SAP transport procedures after validation in non-production systems.
Workarounds
- Restrict network access to the BSP application path hosting the Scorecard Wizard using SAP Web Dispatcher or reverse proxy ACLs
- Limit the authorization objects required to launch the Scorecard Wizard to a minimal set of named users until patching is complete
- Disable the Scorecard Wizard BSP service in transaction SICF if it is not actively used
# Configuration example: disable the BSP service via SICF until patching
# Transaction: SICF
# Path: /default_host/sap/bc/bsp/sap/<scorecard_wizard_service>
# Action: Right-click service > Deactivate Service
# Verify with:
# SE38 > RSICFTREE > filter on service name
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
