SAP NetWeaver JMS Deserialization: High Impact DoS
CVE-2026-23685 Published on February 10, 2026

Insecure Deserialization vulnerability in SAP NetWeaver (JMS service)
Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected.

NVD

Vulnerability Analysis

CVE-2026-23685 can be exploited with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2026-23685 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2026-23685

Want to know whenever a new CVE is published for SAP NetWeaver? stack.watch will email you.

SAP NetWeaver
 

Affected Versions

SAP_SE SAP NetWeaver (JMS service) Version J2EE-FRMW 7.50 is affected by CVE-2026-23685

Exploit Probability

EPSS
0.10%
Percentile
28.29%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.