VYPR
← All advisories
Critical severity9.0NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-40128

CVE-2026-40128

Description

SAP NetWeaver Java's Web Container is vulnerable to path traversal via crafted HTTP logon requests, allowing unauthenticated attackers to access or modify files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SAP NetWeaver Java's Web Container is vulnerable to path traversal via crafted HTTP logon requests, allowing unauthenticated attackers to access or modify files.

Vulnerability

SAP NetWeaver Application Server Java (Web Container) is affected by a path traversal vulnerability. An unauthenticated attacker can exploit this by crafting a malicious HTTP logon request that manipulates file inclusion parameters.

Exploitation

An unauthenticated attacker needs network access to the affected SAP NetWeaver Application Server Java instance. The attacker must send a specially crafted HTTP logon request that includes manipulated file inclusion parameters to trigger the path traversal vulnerability.

Impact

Successful exploitation allows an attacker to view or modify sensitive information stored on the local system, or render parts of the local system unavailable. This could lead to unauthorized data access or denial of service.

Mitigation

SAP regularly releases security patches on its SAP Security Patch Day, typically the second Tuesday of every month [1]. Customers are advised to implement these corrections promptly. Specific patch details for this vulnerability are not yet disclosed in the available references.

References
  1. SAP Security Notes & News

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

1