SAP ABAP Server Code Injection Enables Arbitrary Exec
CVE-2026-40129 Published on May 12, 2026

Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform
Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

NVD

Vulnerability Analysis

CVE-2026-40129 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-40129 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2026-40129

Want to know whenever a new CVE is published for SAP NetWeaver? stack.watch will email you.

SAP NetWeaver
 

Affected Versions

SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform: