A critical XML signature-verification weakness in SAP NetWeaver Application Server ABAP lets an authenticated, low-privileged attacker forge trusted identity information, scoring 9.9 on the CVSS scale.
What Is It
CVE-2026-44748 is an improper-verification-of-cryptographic-signature flaw (CWE-347) in SAP NetWeaver Application Server ABAP and the ABAP Platform. According to SAP's CVE record, an authenticated attacker holding normal privileges can obtain a valid signed message and then submit modified signed XML documents to the verifier. The verifier accepts the tampered content, allowing falsified identity information to pass validation.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.9 (CRITICAL), with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. It is network-exploitable at low attack complexity, requires only low privileges, and needs no user interaction. The scope is "Changed," meaning the impact can reach beyond the initially vulnerable component. SAP rates the impact as high across confidentiality, integrity, and availability: acceptance of tampered identity data can lead to unauthorized access to sensitive user data and potential disruption of normal system operation.
What's Vulnerable
The affected products are SAP NetWeaver Application Server ABAP and the ABAP Platform. SAP's advisory does not enumerate specific affected version entries; refer to the SAP security note for exact version and patch-level coverage.
Patch Status
The CVE was published by SAP ([email protected]) as part of SAP Security Patch Day. SAP has issued security note 3746332, which should be consulted for remediation guidance. No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.