CVE-2026-40129 Overview
CVE-2026-40129 is a code injection vulnerability [CWE-94] in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker can send crafted inputs to the application. The application delivers these inputs to users subscribed to a channel, where they execute. Successful exploitation lets the attacker execute arbitrary code in the context of other users, producing a limited integrity impact without affecting confidentiality or availability.
The vulnerability requires low privileges and no user interaction, and it is exploitable over the network. SAP addressed the issue through the May 2026 SAP Security Patch Day release referenced in SAP Note #3735359.
Critical Impact
Authenticated attackers can inject code that executes within the sessions of other subscribed users, compromising the integrity of downstream user operations on the ABAP application server.
Affected Products
- SAP Application Server ABAP for SAP NetWeaver
- SAP ABAP Platform
- Refer to SAP Note #3735359 for the authoritative list of affected Support Package versions
Discovery Timeline
- 2026-05-12 - CVE-2026-40129 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
- 2026-05-12 - SAP releases security patch via SAP Security Patch Day
Technical Details for CVE-2026-40129
Vulnerability Analysis
The flaw is a code injection weakness classified under [CWE-94] (Improper Control of Generation of Code). The ABAP application server accepts input from an authenticated user and routes that input through a publish/subscribe channel to other subscribed users. The receiving side processes the payload in a way that results in execution rather than treating the content as inert data.
Because the injected code runs in the context of subscribers, the attacker influences operations performed on behalf of those users. SAP's analysis records a limited integrity impact with no confidentiality or availability loss, which indicates the affected code path can alter data flows but cannot directly exfiltrate sensitive data or crash the system.
Exploit prediction scoring places this CVE in the lower tier of publicly observed activity, and no public proof-of-concept or in-the-wild exploitation has been recorded at the time of disclosure.
Root Cause
The root cause is insufficient validation and sanitization of attacker-supplied input that is later interpreted as code or executable directives on the subscriber side of an ABAP messaging channel. The component fails to enforce a boundary between data and code when redistributing payloads.
Attack Vector
Exploitation requires network access to the ABAP application server and authenticated access with low privileges. The attacker submits a crafted payload through the application interface, then waits for the server to deliver that payload to other subscribed users. When subscribers process the message, the embedded code executes within their session. User interaction is not required.
No verified public exploit code is available. Technical specifics are restricted to SAP customers through SAP Note #3735359.
Detection Methods for CVE-2026-40129
Indicators of Compromise
- Unexpected ABAP messaging or channel publish events originating from low-privilege accounts targeting broad subscriber groups
- Anomalous ABAP runtime behavior or executed statements correlated with recent inbound channel messages
- Audit log entries (SM19/RSAU_BUF_DATA) showing inputs with control characters, ABAP keywords, or escape sequences in channel payload fields
Detection Strategies
- Enable and forward SAP Security Audit Log events for RFC, channel, and dynamic program execution to a SIEM for correlation
- Baseline normal publish/subscribe traffic patterns per user and alert on outliers in payload size, frequency, or content entropy
- Hunt for ABAP statements such as GENERATE SUBROUTINE POOL or dynamic PERFORM calls triggered shortly after channel message receipt
Monitoring Recommendations
- Ingest SAP audit and change logs into a centralized analytics platform with retention sufficient for retrospective hunts
- Monitor for new or modified ABAP programs and transports created by service accounts that should not perform development activity
- Track authentication anomalies on accounts with channel publish rights, including off-hours logons and unusual source IP addresses
How to Mitigate CVE-2026-40129
Immediate Actions Required
- Apply the patch documented in SAP Note #3735359 to all SAP NetWeaver ABAP and ABAP Platform systems
- Inventory which users hold publish rights on ABAP channels and reduce membership to the minimum required
- Review SAP Security Audit Log records for the past 90 days for suspicious channel activity
Patch Information
SAP released the fix as part of SAP Security Patch Day. Customers must download and apply SAP Note #3735359 and follow the prerequisites and Support Package level guidance contained in the note. Confirm patch application through SPAM/SAINT and validate that affected components report the corrected version.
Workarounds
- Restrict network access to ABAP application server endpoints used for channel publication to trusted administrative networks
- Tighten authorization objects so that only vetted accounts can publish to shared channels
- Increase Security Audit Log verbosity for channel and dynamic code execution events until patches are deployed
# Verify applied SAP Notes from the OS shell (example)
# Replace <SID> and <instance> with site-specific values
sudo -iu <sid>adm
R3trans -d
disp+work -V
# Then inside SAP GUI, run transaction SNOTE and confirm note 3735359 is implemented
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
