Description
SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.
Published: 2026-06-09
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability resides in the SAP NetWeaver Application Server Java web container, where an unauthenticated attacker sends a crafted HTTP logon request to manipulate file inclusion parameters. The flaw permits directory traversal (CWE‑35) that allows the inclusion of arbitrary files. When the web container processes the included file, it can expose sensitive data, modify or delete files, or render components of the system unavailable.

Affected Systems

The affected product is SAP NetWeaver Application Server Java (Web Container) from SAP SE. All installations using this component are potentially vulnerable until a patch from SAP note 3727078 is applied. No specific version numbers are listed, so all current versions lacking the update are impacted.

Risk and Exploitability

With a CVSS score of 9, the vulnerability is critical. An attacker with network access to the web container can exploit it without authentication. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the high severity and remote access requirement still pose a significant risk. An attacker could send malicious HTTP requests from any source and gain information disclosure, modification, or cause a denial of service.

Generated by OpenCVE AI on June 9, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP patch released in note 3727078 for the SAP NetWeaver Application Server Java (Web Container).
  • Restrict external access to the web container by placing it behind a firewall or reverse proxy, allowing only trusted networks to send requests.
  • After patching, test the application to confirm that directory traversal attempts to include non‑existent or non‑permitted files are blocked and that the application no longer processes unintended files.

Generated by OpenCVE AI on June 9, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap sap Netweaver Application Server Java
Vendors & Products Sap
Sap sap Netweaver Application Server Java

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Description SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.
Title Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Sap Sap Netweaver Application Server Java
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-06-09T13:20:23.825Z

Reserved: 2026-04-09T17:29:44.662Z

Link: CVE-2026-40128

cve-icon Vulnrichment

Updated: 2026-06-09T13:20:18.607Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:46.050

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-40128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:45:37Z

Weaknesses