Back to overview

CVE-2026-27690

CRITICAL
9.1
CVSS 3.1
Description
Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to a high impact on confidentiality and availability.

Metadata

CVE ID
CVE-2026-27690
State
PUBLISHED
Assigner
sap
Reserved
2026-02-23 17:50 UTC
Published
2026-07-14 00:17 UTC
Last updated
2026-07-14 00:17 UTC
Primary CWE
CWE-444
CWE-444: Inconsistent Interpretation of HTTP Requests
Vendor / Product
SAP_SE / SAP Approuter
Sources
cve.org  ·  NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Affected products (1)
VendorProductPlatformVersions
SAP_SE SAP Approuter SAP Approuter node.js package < 20.10.0
Weakness (CWE)
CWESourceDescription
CWE-444 cna CWE-444: Inconsistent Interpretation of HTTP Requests
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.1 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Back to overview