CVE-2026-24310 is a security vulnerability identified in SAP NetWeaver Application Server for ABAP, specifically within multiple SAP_BASIS versions from 702 to 816. The root cause is a missing authorization check (CWE-862) in certain ABAP function modules, which allows an authenticated attacker with low privileges to execute these modules and access sensitive information stored in the database catalog of the ABAP system. This vulnerability does not allow modification or deletion of data, nor does it impact system availability, limiting its effect primarily to confidentiality. The attack vector is network-based, requiring the attacker to have some level of authenticated access but no user interaction is needed. The vulnerability has been assigned a CVSS v3.1 score of 3.5, reflecting low severity due to the limited impact and the requirement for authentication and high attack complexity. No public exploits or active exploitation have been reported to date. The vulnerability affects a broad range of SAP_BASIS versions, which are core components of SAP NetWeaver Application Server for ABAP, widely used in enterprise environments for running SAP applications. The missing authorization check could allow attackers to gain unauthorized read access to sensitive metadata or configuration data, potentially aiding further reconnaissance or targeted attacks.

The primary impact of CVE-2026-24310 is the unauthorized disclosure of sensitive information from the SAP ABAP database catalog. While the confidentiality impact is low, this information could include metadata or configuration details that might assist attackers in planning more sophisticated attacks or gaining deeper insight into the SAP environment. There is no direct impact on data integrity or system availability, limiting the immediate operational risk. However, organizations relying heavily on SAP NetWeaver for critical business processes could face increased risk if attackers leverage this information for subsequent attacks. The requirement for authenticated access reduces the attack surface but does not eliminate risk, especially in environments with weak internal access controls or compromised credentials. Given SAP's widespread use in large enterprises worldwide, particularly in finance, manufacturing, and supply chain sectors, the vulnerability could affect organizations globally, potentially exposing sensitive business information.

Organizations should monitor SAP Security Notes and apply official patches or updates from SAP as soon as they become available for the affected SAP_BASIS versions. In the interim, review and tighten authorization roles and permissions to ensure that only trusted users have access to execute sensitive ABAP function modules. Implement strict network segmentation and access controls to limit exposure of SAP NetWeaver systems to trusted networks and users. Conduct regular audits of user privileges and monitor for unusual access patterns to detect potential exploitation attempts. Employ SAP’s security tools and logs to track ABAP function module executions and database catalog access. Additionally, consider deploying application-level firewalls or SAP-specific security solutions that can detect and block unauthorized function calls. Educate SAP administrators and security teams about this vulnerability to ensure timely response and remediation.