Skip to content
Auto-CTI
Back to today
NEW CRITICAL A2

CVE-2026-27690: HTTP Request Smuggling Vulnerability in SAP Approuter

A NVD · · CVE-2026-27690

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key metrics

CVSS
9.1
EPSS
0%

Key insight

The vulnerability allows unauthenticated attackers to expose user responses and cause system unavailability through crafted HTTP requests , a critical risk for SAP-based ERP infrastructure.

Description

CVE-2026-27690 is an HTTP Request Smuggling vulnerability in SAP Approuter that allows unauthenticated attackers to send specially crafted HTTP requests causing request-response desynchronization. This leads to exposure of user responses and potential system unavailability, affecting both confidentiality and availability. Approuter is a central component in SAP Cloud environments and can provide access to multiple backend systems, making exploitation of this flaw potentially far-reaching.

Risk score

100
cvss base
91.00
kev bonus
0.00
epss bonus
0.00
poc bonus
0.00
raw before weight
91.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

MITRE ATT&CK mapping

3 TTPs
Recon
Resource Dev
Execution
Persistence
Priv. Escal.
Def. Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1190
Exploit Public-Facing Application
Initial Access An unauthenticated attacker exploits the HTTP Request Smuggling vulnerability (CVE-2026-27690) in SAP Approuter by sending a specially crafted HTTP request to cause request-response desynchronization high llm
T1565.002
Transmitted Data Manipulation
Impact The HTTP Request Smuggling vulnerability causes request-response desynchronization, leading to exposure of other users' responses through manipulation of transmitted data between client and server high llm
T1499
Endpoint Denial of Service
Impact Exploitation of the HTTP Request Smuggling vulnerability in SAP Approuter causes the system to become unavailable, resulting in high impact on availability high llm
ESC