SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-27690 2026-07-13

SAP Approuter HTTP Request Smuggling — CVE-2026-27690

"A critical (CVSS 9.1) HTTP request smuggling flaw in SAP Approuter lets an unauthenticated attacker desynchronize requests and responses, exposing user data and knocking systems offline."

A critical (CVSS 9.1) HTTP request smuggling flaw in SAP Approuter lets an unauthenticated attacker desynchronize requests and responses, exposing user data and knocking systems offline.

What Is It

CVE-2026-27690 is an HTTP Request Smuggling vulnerability (CWE-444) in SAP Approuter. Because of the flaw, an unauthenticated attacker can send a specially crafted HTTP request that causes request-response desynchronization. This can result in the exposure of user responses and can render the system unavailable, producing a high impact on both confidentiality and availability.

The issue carries a CVSS 3.1 base score of 9.1 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, network-reachable, low complexity, and requiring neither privileges nor user interaction.

Why It Matters

SAP Approuter typically sits at the edge of SAP application deployments, routing traffic to backend services. A request smuggling weakness at that layer means an unauthenticated, remote attacker can desynchronize the connection to leak other users' responses (high confidentiality impact) and force a denial of service (high availability impact). The combination of no authentication, low attack complexity, and network exposure makes this a high-priority exposure for any internet-facing Approuter instance.

Note: the supplied CISA KEV entry is empty, so there is no confirmation of active exploitation in this source material.

What's Vulnerable

Versions 20.10.0 and later are listed as unaffected.

Patch Status

SAP has published guidance under SAP Security Note 3720138 (released via SAP Security Patch Day). Remediation is to upgrade the SAP Approuter Node.js package to version 20.10.0 or later, which is not affected. Administrators should apply the referenced SAP Note and update accordingly.

Sources