CVE-2026-0491 Overview
CVE-2026-0491 is a code injection vulnerability in SAP Landscape Transformation (SLT). The flaw resides in a function module exposed through Remote Function Call (RFC). An attacker with administrative privileges can inject arbitrary ABAP code and operating system commands. The function module bypasses essential authorization checks, effectively operating as a backdoor.
Successful exploitation compromises the confidentiality, integrity, and availability of the SAP system. The vulnerability is tracked under CWE-94: Improper Control of Generation of Code.
Critical Impact
Authenticated attackers with admin privileges can execute arbitrary ABAP code and OS commands on the SAP host, leading to full system compromise.
Affected Products
- SAP Landscape Transformation (SLT)
- SAP systems exposing the affected RFC-enabled function module
- SAP environments with administrative RFC access enabled
Discovery Timeline
- 2026-01-13 - CVE-2026-0491 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in the NVD database
Technical Details for CVE-2026-0491
Vulnerability Analysis
The vulnerability exists in an RFC-exposed function module within SAP Landscape Transformation. SLT typically replicates and transforms data between SAP and non-SAP systems. The affected module accepts input that is incorporated into dynamically constructed ABAP statements or operating system commands without proper validation.
The function module also bypasses essential authorization checks. This combination allows an authenticated administrator to introduce code that the SAP kernel executes within the application server context. Execution at this level provides direct access to business data, configuration, and the underlying host operating system.
Root Cause
The root cause is improper control of code generation [CWE-94] inside an RFC-callable function module. Caller-supplied data flows into code or command construction paths. Authorization checks that would normally restrict who can invoke such functionality are absent. The result is a function module that behaves as a backdoor for any caller able to reach it over RFC.
Attack Vector
The attack vector is network-based RFC. An attacker authenticates to the SAP system with administrative privileges, then invokes the vulnerable function module remotely. Crafted parameters cause the module to execute attacker-controlled ABAP statements or shell commands. Because the affected component crosses a security boundary, the scope is changed, allowing impact beyond the initially vulnerable component.
No verified public proof-of-concept code is available for CVE-2026-0491. Refer to the SAP Note #3697979 for vendor technical details.
Detection Methods for CVE-2026-0491
Indicators of Compromise
- Unexpected RFC calls to SAP Landscape Transformation function modules from non-administrative hosts or service accounts.
- New or modified ABAP programs, reports, or function modules created outside scheduled change windows.
- OS-level child processes spawned by the SAP work process executing shell or scripting interpreters.
- Outbound network connections initiated by the SAP application server to unfamiliar destinations.
Detection Strategies
- Enable and review the SAP Security Audit Log (SM19/SM20) for RFC function module calls associated with SLT.
- Correlate RFC gateway logs with administrative user activity to identify anomalous calling patterns.
- Hunt for ABAP code changes using transaction SE38, SE80, and SCMP to compare current source against known-good baselines.
- Monitor the host operating system for processes spawned by disp+work or related SAP binaries that execute shell commands.
Monitoring Recommendations
- Forward SAP Security Audit Log, RFC gateway log, and host process telemetry to a centralized SIEM for correlation.
- Baseline normal RFC traffic to SLT and alert on deviations in caller, frequency, or parameters.
- Track changes to authorization profiles S_RFC, S_DEVELOP, and S_ADMI_FCD for administrative accounts.
- Alert on creation of background jobs that invoke transformation modules outside approved schedules.
How to Mitigate CVE-2026-0491
Immediate Actions Required
- Apply the patch referenced in SAP Note #3697979 on all SLT systems.
- Review and reduce the number of accounts holding administrative authorizations on SAP systems running SLT.
- Restrict RFC access to SLT function modules using gateway access control lists (reginfo and secinfo).
- Rotate credentials for administrative and RFC service accounts after patching.
Patch Information
SAP released the fix as part of SAP Security Patch Day. Customers should consult SAP Note #3697979 and the SAP Security Patch Day portal for affected versions, kernel requirements, and installation instructions. Apply the correction in non-production first, then promote through the standard transport landscape.
Workarounds
- Limit RFC connectivity to SLT systems to a defined allow list of trusted application servers.
- Remove or tighten the S_RFC authorization object scope for non-essential administrative users until patching completes.
- Disable unused RFC destinations and function groups associated with Landscape Transformation if business processes permit.
- Increase Security Audit Log verbosity for RFC calls and review logs daily until the patch is deployed.
# Example: restrict RFC gateway access via secinfo and reginfo
# secinfo entry - allow only specific hosts to start external programs
P TP=* USER=* HOST=sap-app-01.internal CANCEL=*
D TP=* USER=* HOST=*
# reginfo entry - allow only known servers to register RFC programs
P TP=SLT_* HOST=sap-app-01.internal CANCEL=sap-app-01.internal ACCESS=internal
D TP=* HOST=*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

