{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23689", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-01-14T18:26:17.297Z", "datePublished": "2026-02-10T03:03:09.536Z", "dateUpdated": "2026-02-10T03:03:09.536Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Supply Chain Management", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SCMAPO 713"}, {"status": "affected", "version": "714"}, {"status": "affected", "version": "SCM 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "712"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.</p>"}], "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-606", "description": "CWE-606: Unchecked Input for Loop Condition", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:03:09.536Z"}, "references": [{"url": "https://me.sap.com/notes/3703092"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Denial of service (DOS) in SAP Supply Chain Management", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:advanced_planning_and_optimization:713:*:*:*:*:*:*:*", "matchCriteriaId": "8E303C34-3616-489F-BEA3-456E302E2D38", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:advanced_planning_and_optimization:714:*:*:*:*:*:*:*", "matchCriteriaId": "82CF8FC0-AECD-4ACC-B823-45645A5B2D83", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:700:*:*:*:*:*:*:*", "matchCriteriaId": "A19AC4DB-E940-46AC-9E3D-4108B3F07BC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:701:*:*:*:*:*:*:*", "matchCriteriaId": "B0A1E0EC-CA14-4AA4-A798-E4E9AD59E45B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:702:*:*:*:*:*:*:*", "matchCriteriaId": "D0B74ECC-DC88-4171-B091-49BD76491336", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:supply_chain_management:712:*:*:*:*:*:*:*", "matchCriteriaId": "9172B1E7-CEDA-4A60-9915-E744FC1319FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected."}, {"lang": "es", "value": "Debido a una vulnerabilidad de consumo de recursos no controlado (denegaci\u00f3n de servicio), un atacante autenticado con privilegios de usuario regular y acceso a la red puede invocar repetidamente un m\u00f3dulo de funci\u00f3n habilitado remotamente con un par\u00e1metro de control de bucle excesivamente grande. Esto desencadena una ejecuci\u00f3n de bucle prolongada que consume recursos excesivos del sistema, lo que podr\u00eda dejar el sistema no disponible. La explotaci\u00f3n exitosa resulta en una condici\u00f3n de denegaci\u00f3n de servicio que afecta la disponibilidad, mientras que la confidencialidad y la integridad permanecen inafectadas."}], "id": "CVE-2026-23689", "lastModified": "2026-02-17T15:57:04.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "cna@sap.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-10T04:16:03.500", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3703092"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-606"}], "source": "cna@sap.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2026-02-10T15:37:18.300082+00:00", "updated": "2026-02-10T15:37:18.300178+00:00", "vendors": ["sap", "sap$PRODUCT$supply_chain_management"]}