CVE-2026-44743: SAP Business Objects Information Disclosure Vulnerability
CVE-2026-44743 is a low-severity information disclosure vulnerability in SAP Business Objects that allows unauthorized attackers to leak sensitive data through a specific application endpoint. The vulnerability requires specific conditions to be exploitable and does not affect system integrity or availability—only the confidentiality of information is at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-497
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from exposure of sensitive information through an unauthenticated network-accessible endpoint in SAP Business Objects, classified under CWE-497 (Exposure of Sensitive Information). The CVSS 3.1 score of 3.7 (LOW) reflects the low attack complexity (AC:H), lack of authentication requirement (PR:N), and limited scope of impact to confidentiality (C:L). The vulnerability requires specific conditions to manifest and cannot degrade system integrity or service availability.
Business impact
While categorized as low-severity, this information disclosure poses moderate business risk depending on the sensitivity of leaked data. If the exposed information includes customer records, financial details, or proprietary analytics, the exposure could trigger regulatory notification obligations (GDPR, CCPA), reputational damage, or competitive harm. Organizations should assess what data is accessible through the affected endpoint in their SAP Business Objects deployments to determine actual business exposure.
Affected systems
SAP Business Objects systems are affected. Vendor and product-specific details are not provided in available advisory data; organizations must consult SAP's official security advisory and their own deployment inventory to confirm which specific versions and configurations are impacted.
Exploitability
The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been documented at the time of publication. However, the low attack complexity and lack of authentication requirements make this vulnerability relatively straightforward to exploit once the specific endpoint and triggering conditions are identified. The requirement for 'specific conditions' may indicate the attack requires particular application state or configuration, which could limit opportunistic exploitation.
Remediation
Consult SAP's official security advisory for CVE-2026-44743 to identify available patches or configuration changes. Since vendor and product details are not yet detailed in this advisory, organizations should contact SAP directly or monitor their security portal for guidance specific to their Business Objects version and deployment. Implement compensating controls such as network segmentation to restrict endpoint access and monitor for unusual data access patterns.
Patch guidance
Verify the applicable SAP Business Objects patch version(s) against the official SAP security advisory for CVE-2026-44743. Patch deployment should be sequenced according to your change management process; the low CVSS score allows for standard patch windows rather than emergency deployment. Test patches in non-production environments first, particularly given the specific endpoint and conditions involved.
Detection guidance
Monitor SAP Business Objects application logs for unusual access to the vulnerable endpoint, including patterns from unauthenticated sources. Track data export or API calls that may indicate reconnaissance or information gathering. Security information and event management (SIEM) systems should flag anomalous queries or downloads from Business Objects environments. Network intrusion detection systems may identify exploitation attempts if the affected endpoint generates distinctive traffic patterns.
Why prioritize this
While the CVSS score is low, prioritization depends on the sensitivity of data accessible through the affected endpoint and your organization's regulatory posture. Prioritize remediation if Business Objects handles customer personal data, financial information, or trade secrets. Organizations in regulated industries or with stringent data protection requirements should treat this higher in their queue. The lack of KEV status and apparent low active exploitation reduces urgency compared to critical vulnerabilities, allowing for planned remediation within standard patch cycles.
Risk score, explained
The CVSS 3.1 score of 3.7 reflects: (1) network accessibility with high attack complexity, (2) no authentication bypass (attacker must be unauthorized but can reach the endpoint), and (3) impact limited to confidentiality. The score does not account for business context—organizations handling sensitive data should apply additional risk weighting beyond the base CVSS score when determining actual organizational risk.
Frequently asked questions
Is this vulnerability actively exploited?
CVE-2026-44743 is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. This does not guarantee the absence of exploitation, but suggests active, widespread exploitation has not been publicly documented. However, the straightforward nature of the vulnerability means it could be exploited opportunistically once discovered.
Do we need to patch immediately?
The CVSS 3.1 score of 3.7 does not warrant emergency patching. Include this in your regular patch management cycle, with prioritization based on whether the affected endpoint and data are exposed to your threat model. If Business Objects is internet-facing or handles sensitive information, accelerate patching accordingly.
What specific SAP Business Objects versions are affected?
This initial advisory does not specify affected versions. Consult SAP's official security advisory for CVE-2026-44743 to determine which versions are vulnerable and what patches are available. Your SAP support team can also help map your deployed versions to the vulnerable range.
What data is at risk if this is exploited?
The vulnerability leaks 'sensitive information' through a specific endpoint, but the exact data category is not specified here. Review your SAP Business Objects configuration and data classifications to determine what is accessible through the affected endpoint—this will inform your actual risk and remediation priority.
This analysis is based on publicly available information as of the CVE publication date. Vendor and affected product details are incomplete in the source advisory; verify all patch versions, affected software versions, and remediation steps against the official SAP security advisory before taking action. SEC.co makes no representation regarding exploit availability, active exploitation, or real-world attack patterns beyond what is documented in official vulnerability databases. Organizations must assess their own exposure based on their Business Objects deployment, data classification, and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-49077MEDIUMWP eMember Information Disclosure Vulnerability
- CVE-2024-42206LOWHCL iReflection Third-Party Component Vulnerability
- CVE-2025-12656LOWWPvivid Plugin Arbitrary Directory Deletion Vulnerability
- CVE-2025-48616LOWAndroid Lockdown Bypass via Screen Pinning Logic Error
- CVE-2025-52608LOWHCL iControl Missing Cookie Attributes Vulnerability
- CVE-2025-52609LOWHCL iControl Missing Security Headers XSS Vulnerability
- CVE-2025-52611LOWHCL iControl Stack Trace Disclosure (v4.0.0)
- CVE-2025-62338LOWHCL BigFix CLM Input Validation Flaw – Information Disclosure Risk