CVE-2026-40129

Vulnerability

Overview

CVE-2026-40129 is a Code Injection vulnerability in the SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker with access to the system can send specially crafted inputs to the application. When these malicious inputs are processed, they are delivered to other users who are subscribed to a communication channel, ultimately leading to the execution of arbitrary code on the clients of those users. The root cause lies in insufficient validation or sanitization of user-supplied data within the server components.

Exploitation

Details

Exploitation requires prior authentication to the SAP system, meaning the attacker must have valid credentials. The attack is performed by submitting crafted payloads to a vulnerable endpoint of the application server. The server then forwards these payloads to other subscribed users without proper filtering. No additional privileges beyond basic authentication are mentioned, suggesting that any authenticated user could potentially trigger the vulnerability. The attack vector is over the network, and user interaction may be required for the code to execute in the context of the recipient's session.

Impact

Successful exploitation enables the attacker to execute arbitrary code for other users. According to the official description, the impact on integrity is low, while confidentiality and availability remain unaffected. The attacker could potentially manipulate data or perform actions on behalf of the victim user is authorized to do, but cannot directly read sensitive data or cause system downtime.

Mitigation

SAP has released security patches as part of their monthly Security Patch Day [1]. The advisory recommends immediate implementation of the corresponding SAP Security Note. No workarounds are described; applying the latest support packages is the only remediation. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.