A critical, unauthenticated path traversal flaw in the SAP NetWeaver Application Server Java Web Container lets remote attackers read, alter, or destroy files on affected systems via crafted HTTP logon requests.
What Is It
CVE-2026-40128 is a path traversal vulnerability (CWE-35) in the Web Container component of SAP NetWeaver Application Server Java. An unauthenticated attacker can craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of an attacker-included file. Once that file is processed, the attacker may view or modify sensitive information, or render any part of the local system unavailable.
The flaw carries a CVSS 3.1 base score of 9.0 (CRITICAL), with the vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. It is network-exploitable and requires no privileges or user interaction, though attack complexity is rated high. Notably, the scope is "changed," and confidentiality, integrity, and availability impacts are all rated high.
Why It Matters
This vulnerability requires no authentication and is reachable over the network, exposing the full impact triad: data theft, data tampering, and denial of service. The "changed" scope indicates the impact can extend beyond the vulnerable component itself. SAP NetWeaver underpins many core enterprise and business-critical systems, making any unauthenticated, remotely exploitable flaw of this severity a high-priority concern.
No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation in the wild at this time based on the available source material.
What's Vulnerable
SAP NetWeaver Application Server Java, specifically the Web Container component, is affected. The supplied NVD record does not enumerate specific affected version ranges (no CPEs were listed), so administrators should consult the referenced SAP security note to determine exact affected releases.
Patch Status
SAP has published a security note for this issue (SAP Note 3727078), referenced in the NVD record alongside SAP's Security Patch Day page. Organizations running SAP NetWeaver Application Server Java should review the SAP note and apply the vendor-provided fix. As of the source data, the NVD vulnerability status is "Awaiting Analysis."