Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40128

CVE-2026-40128: SAP NetWeaver Path Traversal Vulnerability

CVE-2026-40128 is a path traversal vulnerability in SAP NetWeaver Application Server Java that lets unauthenticated attackers access sensitive files. This article covers the technical details, affected versions, and steps to mitigate.

Published:

CVE-2026-40128 Overview

CVE-2026-40128 is a path traversal vulnerability [CWE-35] in the Web Container component of SAP NetWeaver Application Server Java. An unauthenticated remote attacker can craft a malicious HTTP logon request that manipulates file inclusion parameters. The server processes the included file, allowing the attacker to read or modify sensitive data or disrupt local system availability.

The vulnerability carries a CVSS 3.1 score of 9.0 and impacts confidentiality, integrity, and availability with scope change. No authentication or user interaction is required for exploitation.

Critical Impact

An unauthenticated attacker can traverse the file system through a crafted HTTP logon request, leading to disclosure or modification of sensitive files and partial or total denial of service on affected SAP NetWeaver Java systems.

Affected Products

  • SAP NetWeaver Application Server Java
  • SAP NetWeaver Application Server Java Web Container component
  • SAP NetWeaver Java-based logon endpoints exposed over HTTP/HTTPS

Discovery Timeline

  • 2026-06-09 - CVE-2026-40128 published to the National Vulnerability Database
  • 2026-06-09 - Last updated in NVD database
  • SAP Security Patch Day - SAP published SAP Note #3727078 addressing the issue

Technical Details for CVE-2026-40128

Vulnerability Analysis

The flaw resides in the Web Container of SAP NetWeaver Application Server Java, which handles HTTP logon requests. The container accepts user-controlled parameters that drive a file inclusion routine. Insufficient validation of these parameters lets an attacker escape the intended directory and reference arbitrary files on the local file system.

Once the path is resolved, the server processes the referenced file. This processing step expands the impact beyond simple disclosure. An attacker can read configuration files, credentials, or business data. The same primitive can be used to overwrite or corrupt files, or to reference resources that cause the application or host to become unavailable.

The CWE-35 classification (Path Traversal: .../...//) reflects the use of relative path traversal sequences to bypass directory restrictions. The scope change in the CVSS vector indicates that the impact extends beyond the vulnerable component into adjacent system resources.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory in the logon request handler. File inclusion parameters submitted in the HTTP request are concatenated into a file path without canonicalization or allowlist-based validation. Traversal sequences such as ../ are not neutralized before the file is opened and processed.

Attack Vector

The attack is network-based and requires no credentials. An attacker sends a crafted HTTP request to a logon endpoint exposed by the NetWeaver Java Web Container. The request includes a manipulated file inclusion parameter pointing to a file outside the intended directory. The server resolves the path, opens the file, and executes its processing logic against the attacker-chosen content.

No verified public exploit code or proof-of-concept is available at the time of publication. Technical details should be obtained from the vendor advisory.

// No verified exploit code is available for CVE-2026-40128.
// Refer to SAP Note #3727078 for vendor-supplied technical details.

Detection Methods for CVE-2026-40128

Indicators of Compromise

  • HTTP logon requests to SAP NetWeaver Java endpoints containing path traversal sequences such as ../, ..\, URL-encoded %2e%2e%2f, or double-encoded variants in query or POST parameters.
  • Unexpected access to files outside the NetWeaver Java installation directory, including OS configuration files, SAP secure storage files, or SecStore.properties.
  • Web Container or ICM log entries showing logon requests with abnormally long parameter values or filesystem-like paths.
  • Application or system-level errors immediately following malformed logon requests, indicating processing of unintended files.

Detection Strategies

  • Inspect HTTP request bodies and query strings to NetWeaver Java logon URLs for traversal patterns and encoded variants.
  • Correlate access logs from the Internet Communication Manager (ICM) with file system access events on the SAP host to surface logon requests that trigger reads outside expected directories.
  • Apply web application firewall (WAF) signatures for path traversal targeting SAP logon paths and alert on blocked or anomalous matches.
  • Baseline normal logon request parameters and flag deviations in parameter names, lengths, or character sets.

Monitoring Recommendations

  • Forward NetWeaver Java dev_icm, dev_server, and security audit logs to a centralized SIEM for continuous review.
  • Monitor for repeated 4xx/5xx responses from logon endpoints originating from a single source, which can indicate exploitation attempts.
  • Track file integrity on SAP configuration directories to detect unauthorized modifications resulting from file inclusion abuse.

How to Mitigate CVE-2026-40128

Immediate Actions Required

  • Apply the SAP-provided fix referenced in SAP Note #3727078 to all affected NetWeaver Application Server Java instances.
  • Review the SAP Security Patch Day Announcement to confirm coverage of related notes for your release.
  • Restrict network exposure of NetWeaver Java logon endpoints to trusted networks until patches are deployed.
  • Audit recent HTTP logon traffic and file system access logs for evidence of exploitation attempts.

Patch Information

SAP has released a fix through SAP Note #3727078. Administrators must authenticate to the SAP Support Portal to download the corrective package and apply the patch following standard NetWeaver Java change management procedures. Patch metadata, prerequisite Support Package levels, and manual instructions are documented in the note.

Workarounds

  • Place SAP NetWeaver Java behind a reverse proxy or WAF with rules that block path traversal sequences in HTTP parameters targeting logon URLs.
  • Disable or restrict access to unused logon endpoints and components within the Web Container configuration.
  • Limit inbound access to NetWeaver Java HTTP/HTTPS ports to authorized administrative networks and trusted clients only.
  • Enable SAP Security Audit Log with logon and HTTP request auditing to retain forensic evidence while remediation is in progress.
bash
# Example WAF rule pattern (vendor-neutral) to block traversal in SAP logon parameters
# Adjust to your WAF syntax and confirm against legitimate logon traffic before enforcing.
SecRule REQUEST_URI "@rx /(irj|logon|webdynpro)/.*" \
  "chain,phase:2,deny,status:403,id:1004012801,msg:'SAP NetWeaver Java path traversal attempt (CVE-2026-40128)'"
  SecRule ARGS|REQUEST_BODY "@rx (\.\./|\.\.\\|%2e%2e(%2f|%5c)|%252e%252e(%252f|%255c))" \
    "t:none,t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne