critical2026-06-09SAP NetWeaverCVE-2026-40128

Directory Traversal in SAP NetWeaver AS Java Web Container

SAP NetWeaver Application Server Java (Web Container)

Our Take

Unauthenticated directory traversal on an internet-facing Java application server is a textbook breach scenario. Narrow version coverage (ENGINEAPI 7.50) limits blast radius, but if you run NetWeaver AS Java, this is immediate. Attackers routinely enumerate SAP Java installations and this type of vulnerability is trivially scriptable.

Vulnerability Detail

A directory traversal vulnerability in the SAP NetWeaver Application Server Java Web Container (ENGINEAPI 7.50) allows an unauthenticated attacker to send malicious HTTP logon requests with manipulated file inclusion parameters. The attacker can traverse directory boundaries to access sensitive files on the server, potentially triggering denial of service conditions or extracting configuration and credential data.

Workaround

Restrict public access to the NetWeaver Java Web Container logon endpoints using a reverse proxy or WAF. Block or validate file inclusion parameters at the network perimeter.

Patch Action

Apply SAP Note 3727078.

Affected Versions

ENGINEAPI 7.50

Patch Info

Priority

🔴 Patch immediately

CVSS Score

SAP Note

3727078 ↗

CVE

CVE-2026-40128

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches