HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-40128Published Modified CNA sap

CVE-2026-40128: Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)

SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A directory traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated remote attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, bypassing path restrictions. The attack requires no credentials and is reachable over the network, though environmental conditions make reliable exploitation harder than average. Successful exploitation gives the attacker the ability to read or modify sensitive files on the host system, or render the system unavailable. No fix version has been published; HarborGuard tracks this advisory and will surface a patched rebuild the moment SAP releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-40128 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images derived from SAP NetWeaver AS Java base layers. Any image carrying ENGINEAPI 7.50 will appear as affected in the scan results.

Available
Triage

HarborGuard scores this CVE at CVSS 9.0 Critical and applies per-environment compliance policy weighting to determine urgency and route findings to the appropriate team inbox within each customer organization. Customers with strict compliance baselines (such as those requiring zero Critical findings in production) will see this flagged for immediate attention under their configured policy.

Available
Patch

Because no fix version has been published by SAP, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment SAP ships a corrected release. In the interim, customers with auto-remediation enabled can apply compensating controls such as network-policy isolation for affected workloads, which HarborGuard can surface as a recommended action inside the finding detail.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SAP NetWeaver Web Container over the network; the vulnerable HTTP logon endpoint is exposed as a network service.

  • AuthenticationNot required

    No credentials are required; the malicious request can be sent by any unauthenticated party who can reach the endpoint.

  • Victim interactionNot required

    No user or administrator action is needed to trigger the vulnerability; the attacker interacts directly with the service.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker must account on environmental or timing conditions (such as specific server configuration state) to reliably achieve file inclusion; the exploit is not unconditionally reliable.

Blast Radius

  • Reads arbitrary files from the local file system accessible to the Java Web Container process, including configuration files, credentials, and keystores.
  • Modifies files writable by the Web Container process, enabling tampering with application configuration or injecting malicious content.
  • Renders any part of the local system unavailable by corrupting or locking critical files, causing service disruption or a full system outage.
  • The scope impact is rated Changed, meaning a successful attacker can affect resources beyond the Web Container itself, reaching other components or services on the same host.

How HarborGuard Handles This

Available on HarborGuard: because SAP has not yet published a fix for CVE-2026-40128, HarborGuard monitors the advisory on every feed ingest cycle and will automatically make a patched-image rebuild available for affected ENGINEAPI 7.50 images the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. While no patch exists, recommended compensating controls include applying Kubernetes NetworkPolicy or equivalent rules to restrict inbound HTTP access to the SAP NetWeaver Web Container to known-good source ranges, enabling egress filtering to limit what the Web Container process can reach on the local file system via network-exposed paths, and temporarily gating or disabling the HTTP logon endpoint if business operations allow it. HarborGuard surfaces these control suggestions directly in the finding detail for this CVE so the responsible team can act without context-switching to a separate advisory feed.

See how HarborGuard automates this
Affected packages
  • SAP_SE / SAP NetWeaver Application Server Java (Web Container)
    ENGINEAPI 7.50
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References