Skip to main content

SAP NetWeaver AS Java CVE-2026-40128

| EUVD-2026-35279 CRITICAL
Path Traversal: '.../...//' (CWE-35)
2026-06-09 cna@sap.com GHSA-xgpc-r53m-pqc6
Path Traversal SAP Java
9.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 01:31 vuln.today
CVE Published
Jun 09, 2026 - 01:16 nvd
CRITICAL 9.0

DescriptionNVD

SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.

Articles & Coverage 3

News 9 New Java Vulnerabilities - 1 Critical, 8 High Severity Jun 10, 2026 News 3 Critical SAP Vulnerabilities Disclosed - No Public Exploits Yet Jun 10, 2026 News Critical Path Traversal in SAP NetWeaver AS Java Web Container - CVE-2026-40128 Jun 09, 2026

AnalysisAI

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manipulate file inclusion parameters within crafted HTTP logon requests, leading to inclusion and processing of arbitrary local files. Successful exploitation can expose or modify sensitive data and render portions of the server unavailable, with no public exploit identified at time of analysis but a CVSS of 9.0 reflecting full CIA impact with scope change.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed AS Java logon endpoint
Delivery
Craft HTTP logon request with traversal in file-include parameter
Exploit
Web Container resolves manipulated path
Execution
Server processes included local file
Impact
Disclose, modify, or destroy targeted resource
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires HTTP/HTTPS network reachability to the SAP NetWeaver AS Java Web Container logon endpoint and the ability to submit a crafted logon request containing manipulated file inclusion parameters - no credentials and no user interaction are required (PR:N, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H yields 9.0 - unauthenticated, network-reachable, with scope change and full CIA impact, partially offset by High attack complexity (AC:H) which implies non-trivial conditions such as specific request shaping or timing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the network reachable to the AS Java HTTP port sends a specifically crafted logon HTTP request whose file inclusion parameter contains traversal sequences pointing to a server-side resource (e.g., a configuration file or a controlled script-like asset). The Web Container resolves the manipulated path and processes the included file, allowing the attacker to disclose sensitive data such as credentials or secure store entries, tamper with included content, or trigger a fault that takes the logon path offline; no public exploit is identified at time of analysis, and the High attack complexity suggests non-trivial request shaping is required.
Remediation Patch available per vendor advisory - apply the fix delivered in SAP Security Note 3727078 (https://me.sap.com/notes/3727078) at the next maintenance window, cross-referenced via the SAP Security Patch Day portal at https://url.sap/sapsecuritypatchday for the corresponding Support Package or kernel patch matching your NetWeaver AS Java release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify and inventory all SAP NetWeaver Application Server Java instances; determine network reachability and business criticality; brief SAP administrators and security leadership. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
CVE-2026-41717 HIGH
8.1 Jun 10

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin

Share

CVE-2026-40128 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy