CVE-2026-40131 - Vulnerability Details

Description

SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.

Published: 2026-05-12

Score: 3.4 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An SQL injection flaw exists in the @sap/hdi-deploy package used by SAP HANA Deployment Infrastructure (HDI). The flaw allows dynamically built SELECT queries to include unsanitized user input, enabling an attacker who has elevated privileges to modify which data is returned, thereby leaking sensitive information or disrupting application functionality. The description explicitly states that the vulnerability does not affect integrity, but it can compromise data confidentiality and availability for users of the application.

Affected Systems

The affected product is the SAP HANA Deployment Infrastructure (HDI) deploy library, provided by SAP SE. All installations that include the @sap/hdi-deploy component are at risk; no specific version ranges are listed in the CNA data, so all deployed instances should be considered potentially vulnerable unless known to be on a patched version.

Risk and Exploitability

The CVSS score of 3.4 indicates a moderate severity; no EPSS score is available, so the likelihood of exploit is not quantified. Because the issue requires high‑privileged user context to execute the manipulated SELECT statements, it is likely a local or privileged‑user attack rather than a remote public exploitation. The vulnerability is not currently in the CISA KEV collection, reducing the indication of active exploitation, but the risk remains for insider or compromised administrative accounts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP HANA Deployment Infrastructure (HDI) deploy library

unaffected

Version	Status	Constraints
`XS_HDI_DEPLOYER 1.00`	affected	—

No data.

Vendor Product Confidence Versions

Sap Se

Sap Hana Deployment Infrastructure (hdi) Deploy Library

100%

Version	Status	Scheme	Platform
`XS_HDI_DEPLOYER 1.00`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the SAP HANA Deployment Infrastructure to a version where the @sap/hdi-deploy package has been patched to use parameterized queries or prepared statements.
Review the HDI deploy library code to ensure all dynamic SQL construction is performed with safe query building practices, avoiding string concatenation of user input.
Limit access to the HDI deploy library and its administrative interfaces to only trusted, audited personnel, and monitor log files for suspicious SELECT statement modifications.

Generated by OpenCVE AI on May 12, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://me.sap.com/notes/3726962
https://url.sap/sapsecuritypatchday

History

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Hana Deployment Infrastructure (hdi) Deploy Library
Vendors & Products		Sap Se Sap Se sap Hana Deployment Infrastructure (hdi) Deploy Library

Tue, 12 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.
Title		SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library
Weaknesses		CWE-89
References		https://me.sap.com/notes/3726962 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 3.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L'}`

Subscriptions

Sap Se Sap Hana Deployment Infrastructure (hdi) Deploy Library

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-05-12T02:20:56.551Z

Updated: 2026-05-12T02:20:56.551Z

Reserved: 2026-04-09T17:29:44.663Z

Link: CVE-2026-40131

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T03:16:11.910

Modified: 2026-05-12T03:16:11.910

Link: CVE-2026-40131

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T09:22:02Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object