Skip to main content

SAP Application Server ABAP CVE-2026-40129

| EUVDEUVD-2026-29361 MEDIUM
Code Injection (CWE-94)
2026-05-12 sap GHSA-f762-3chp-r6jr
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:20 nvd
MEDIUM 4.3

DescriptionCVE.org

Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

AnalysisAI

Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments.

Technical ContextAI

This vulnerability exploits improper input validation in the SAP Application Server ABAP message/subscription channel processing mechanism. The root cause is CWE-94 (Code Injection), which occurs when user-controlled input is incorporated into code that is subsequently executed. The attack occurs within the context of notification channels where authenticated users can submit data that is broadcast to other subscribed users without proper sanitization or escaping. The vulnerability affects all versions of SAP Application Server ABAP for SAP NetWeaver and ABAP Platform as indicated by the wildcard CPE, suggesting a systemic issue in the channel message handling framework rather than version-specific flaw.

RemediationAI

Apply the security patch released by SAP as detailed in SAP Note 3735359 and the SAP Security Patch Day announcement at https://url.sap/sapsecuritypatchday. Because the CVE description does not specify fixed versions, consult SAP's official advisory to identify the patched version for your specific NetWeaver or ABAP Platform release line. As an interim compensating control pending patch deployment, restrict access to notification/subscription channel features to trusted user groups with elevated access controls, implement input validation and content security policies at the application layer to block injection patterns in message payloads, and monitor channel subscription activity for suspicious or unusual message content. Note that these controls may limit legitimate functionality depending on how channels are used in your environment; coordinate with business stakeholders before implementing access restrictions. Log all channel message submissions and review them for injection payloads to detect attempted exploitation. No workaround is available that fully mitigates the vulnerability without patching.

Share

CVE-2026-40129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy