CVE-2026-27690
SAP · Approuter
SAP Approuter is vulnerable to HTTP Request Smuggling, allowing unauthenticated attackers to desynchronize requests, leading to potential information disclosure and denial-of-service.
Executive summary
An unauthenticated HTTP request smuggling vulnerability in SAP Approuter poses a critical risk to data confidentiality and service availability.
Vulnerability
This vulnerability (CWE-444) stems from inconsistent interpretation of HTTP requests between the Approuter and downstream components, allowing an unauthenticated attacker to manipulate request processing.
Business impact
Successful exploitation allows an attacker to intercept or corrupt user responses, leading to the exposure of sensitive session data or unauthorized content. Furthermore, the ability to trigger system unavailability directly threatens business continuity, justifying the 9.1 CVSS score.
Remediation
Immediate Action: Update the SAP Approuter node.js package to version 20.10.0 or higher.
Proactive Monitoring: Review web server and application logs for malformed HTTP requests or unusual patterns of request-response desynchronization.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to normalize and inspect incoming HTTP traffic for non-compliant headers or smuggling patterns.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical severity of this vulnerability and the potential for unauthenticated remote exploitation, organizations must prioritize patching. Update all instances of the SAP Approuter node.js package to the latest version immediately to eliminate the underlying request parsing inconsistency.