SQLi in @sap/hdi-deploy: unauth param injection alters SELECT
CVE-2026-40131 Published on May 12, 2026

SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library
SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.

NVD

Vulnerability Analysis

CVE-2026-40131 can be exploited with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a small impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-40131 has been classified to as a SQL Injection vulnerability or weakness.


Products Associated with CVE-2026-40131

Want to know whenever a new CVE is published for SAP Hana? stack.watch will email you.

SAP Hana
 

Affected Versions

SAP_SE SAP HANA Deployment Infrastructure (HDI) deploy library Version XS_HDI_DEPLOYER 1.00 is affected by CVE-2026-40131