CVE-2026-44750 Overview
CVE-2026-44750 is a missing authorization check vulnerability in the SAP Master Data Governance (MDG) Review Match Groups Application. The application fails to enforce authorization checks for authenticated users, allowing a low-privileged user to perform actions that would otherwise be restricted. Successful exploitation results in privilege escalation with a low impact on integrity. Confidentiality and availability are not affected. The flaw is classified under CWE-862: Missing Authorization.
Critical Impact
Authenticated low-privileged users can perform restricted actions in the SAP MDG Review Match Groups Application, leading to privilege escalation with limited integrity impact.
Affected Products
- SAP Master Data Governance (MDG)
- SAP MDG Review Match Groups Application
- Refer to SAP Note #3673181 for the complete list of affected SAP MDG versions
Discovery Timeline
- 2026-06-09 - CVE-2026-44750 published to the National Vulnerability Database
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-44750
Vulnerability Analysis
The vulnerability resides in the Review Match Groups Application within SAP Master Data Governance. SAP MDG centralizes the governance of master data such as business partners, materials, and financial entities across SAP landscapes. The Review Match Groups Application supports the review and reconciliation of duplicate or matched data records during governance workflows.
The application does not validate whether the authenticated user holds the authorization objects required to perform certain operations. As a result, any authenticated user with low privileges can invoke functionality intended for users with higher authorization levels. The flaw is a server-side authorization enforcement gap, not a client-side restriction that could be bypassed by interface manipulation alone.
The impact is limited to integrity. Attackers cannot read sensitive data they were not already entitled to view, and they cannot disrupt availability. They can, however, modify master data review outcomes in ways that should require elevated privileges.
Root Cause
The root cause is a missing authorization check [CWE-862]. SAP ABAP applications rely on explicit AUTHORITY-CHECK statements to validate that a user has the required authorization objects before executing privileged actions. In the affected component, one or more of these checks are absent from the code path serving the Review Match Groups Application functions.
Attack Vector
Exploitation requires network access to the SAP MDG application and a valid authenticated session with low privileges. No user interaction is required beyond the attacker submitting crafted requests. The attacker authenticates with existing low-privileged credentials, navigates to or directly invokes the Review Match Groups Application function, and triggers actions that should be gated by authorization checks. Because the server does not enforce those checks, the actions complete successfully and the user effectively escalates privileges within the MDG workflow.
No verified exploit code or public proof-of-concept is available at the time of publication. See the SAP Security Patch Day advisory for vendor guidance.
Detection Methods for CVE-2026-44750
Indicators of Compromise
- Audit log entries showing low-privileged users invoking Review Match Groups Application transactions or function modules they have not historically used.
- Successful modification of match group review outcomes performed by user accounts lacking the expected MDG governance roles.
- Unexpected sequences of MDG workflow state changes initiated from non-administrative user sessions.
Detection Strategies
- Enable and review the SAP Security Audit Log (SM19/SM20) for transactions and RFC calls related to the MDG Review Match Groups Application.
- Correlate user role assignments against the activities performed in MDG to identify activity inconsistent with assigned authorization profiles.
- Use SAP UI logging and Read Access Logging (RAL) where applicable to capture access patterns to the affected application.
Monitoring Recommendations
- Ingest SAP audit and change document logs into a centralized SIEM and alert on privilege-sensitive MDG operations performed by non-privileged accounts.
- Baseline normal usage of the Review Match Groups Application per user role and alert on deviations.
- Monitor SAP change documents for unauthorized modifications to master data review decisions.
How to Mitigate CVE-2026-44750
Immediate Actions Required
- Apply the SAP-provided patch referenced in SAP Note #3673181 as soon as it can be tested and deployed.
- Review user assignments for MDG roles and remove unnecessary access to the Review Match Groups Application.
- Audit recent activity in MDG match group reviews to identify any unauthorized changes prior to patching.
Patch Information
SAP released the fix as part of the SAP Security Patch Day program. Customers should consult SAP Note #3673181 for the exact support package and patch level required for their SAP MDG release. Additional advisories are available on the SAP Security Patch Day portal.
Workarounds
- Restrict access to the Review Match Groups Application to users who explicitly require it through tightened authorization profile assignments.
- Implement compensating controls in custom MDG workflows that revalidate user authorizations before committing review decisions.
- Increase audit log retention and review frequency for MDG transactions until the patch is deployed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
