Skip to main content

SAP HDI Deploy CVE-2026-40131

| EUVDEUVD-2026-29359 LOW
SQL Injection (CWE-89)
2026-05-12 sap GHSA-75qg-6cmg-3h9p
3.4
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.4 LOW
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:20 nvd
LOW 3.4

DescriptionCVE.org

SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.

AnalysisAI

SQL injection in SAP HANA Deployment Infrastructure (HDI) deploy library allows high-privileged users to manipulate dynamically constructed SQL queries, potentially altering SELECT statements and compromising confidentiality and availability. Attack requires local access and high privileges (PR:H), limiting real-world risk despite SQL injection severity. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The @sap/hdi-deploy package is a Node.js library used to deploy and manage SAP HANA artifacts. The vulnerability stems from CWE-89 (SQL Injection), where user-controlled input is concatenated directly into SQL query strings rather than using parameterized queries or prepared statements. This allows attackers with high privileges to inject arbitrary SQL syntax into SELECT statements. The affected CPE indicates all versions of the SAP HANA Deployment Infrastructure deploy library (cpe:2.3:a:sap_se:sap_hana_deployment_infrastructure_(hdi)_deploy_library:*:*:*:*:*:*:*:*) are potentially vulnerable.

RemediationAI

Apply the patch released by SAP for the @sap/hdi-deploy library as documented in SAP security note 3726962 (https://me.sap.com/notes/3726962) and the SAP Security Patch Day advisory (https://url.sap/sapsecuritypatchday). Update the @sap/hdi-deploy package to the patched version in your deployment pipeline. As a temporary compensating control, restrict deployment permissions to only trusted administrators and disable dynamic SQL construction in deployment scripts where possible; audit all deployment activities for suspicious SQL patterns. Verify that parameterized queries or prepared statements are used in any custom deployment extensions.

Share

CVE-2026-40131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy