CVE-2026-24322: SAP ST-PI Information Disclosure Flaw

CVE-2026-24322 Overview

SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability, classified under CWE-862 (Missing Authorization), enables authenticated attackers to access confidential data through network-based attacks without requiring user interaction.

Critical Impact

Authenticated users can bypass authorization controls to access sensitive information, with high impact on data confidentiality across affected SAP systems.

Affected Products

• SAP Solution Tools Plug-In (ST-PI)

Discovery Timeline

• 2026-02-10 - CVE-2026-24322 published to NVD
• 2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-24322

Vulnerability Analysis

This vulnerability represents a Missing Authorization (CWE-862) flaw within the SAP Solution Tools Plug-In (ST-PI). The affected function module fails to implement proper authorization checks for authenticated users before granting access to sensitive resources. This architectural weakness allows any authenticated user, regardless of their intended privilege level, to retrieve confidential information they should not have access to.

The vulnerability can be exploited remotely over the network with low attack complexity. An attacker with valid but low-privileged credentials can leverage this flaw to access sensitive data. The scope of impact extends beyond the vulnerable component, potentially exposing data from other components within the SAP environment. While confidentiality is severely impacted, the vulnerability does not allow modification of data (integrity) or disruption of services (availability).

Root Cause

The root cause of CVE-2026-24322 is the absence of proper authorization validation within a function module in SAP Solution Tools Plug-In (ST-PI). The function module processes requests from authenticated users without verifying whether the requesting user has the appropriate authorization objects or role assignments to access the requested data. This represents a failure to implement the principle of least privilege at the application layer.

Attack Vector

The attack vector for this vulnerability is network-based, requiring the attacker to have authenticated access to the SAP system. The exploitation follows this pattern:

1. Initial Access: Attacker authenticates to the SAP system using valid credentials (even low-privilege accounts)
2. Function Module Invocation: Attacker calls the vulnerable function module within ST-PI
3. Authorization Bypass: The function module processes the request without verifying authorization checks
4. Data Exfiltration: Sensitive information is returned to the attacker that they should not have access to

The vulnerability does not require any special privileges beyond basic authentication, making it exploitable by any user with legitimate credentials, including those with minimal access rights.

Detection Methods for CVE-2026-24322

Indicators of Compromise

• Unusual access patterns to ST-PI function modules from users who do not typically interact with these components
• Elevated frequency of function module calls from low-privilege user accounts
• Access logs showing retrieval of sensitive data by unauthorized user roles
• Anomalous data access requests originating from accounts with limited business need for ST-PI functionality

Detection Strategies

• Monitor SAP Security Audit Log (SM21) for unauthorized function module calls within ST-PI
• Implement transaction logging to track access patterns to sensitive function modules
• Configure alerts for access attempts from user accounts without appropriate authorization objects
• Review SAP Gateway logs for suspicious RFC call patterns targeting ST-PI components

Monitoring Recommendations

• Enable comprehensive logging for ST-PI function module invocations
• Establish baseline access patterns for ST-PI components and alert on deviations
• Integrate SAP logs with SIEM solutions for real-time correlation and alerting
• Conduct periodic reviews of user authorization assignments related to ST-PI

How to Mitigate CVE-2026-24322

Immediate Actions Required

• Apply the security patch referenced in SAP Note 3705882 immediately
• Review and restrict user authorizations for ST-PI function modules to only those with legitimate business need
• Audit recent access logs for potential exploitation attempts
• Implement additional authorization checks at the application layer while awaiting patch deployment

Patch Information

SAP has released a security patch addressing this vulnerability as part of their Security Patch Day program. Administrators should reference SAP Note 3705882 for detailed patching instructions and prerequisites. The patch implements proper authorization validation within the affected function module to ensure only appropriately authorized users can access sensitive information.

For comprehensive guidance on SAP security updates, refer to the SAP Security Patch Day portal.

Workarounds

• Restrict network access to SAP systems to trusted IP ranges and segments
• Implement additional role-based access controls limiting which users can invoke ST-PI function modules
• Deploy SAP Enterprise Threat Detection to monitor for exploitation attempts
• Consider temporarily disabling non-essential ST-PI functionality until the patch can be applied