CVE-2026-23686
Undergoing Analysis
Undergoing Analysis - In Progress
CRLF Injection in SAP NetWeaver AS Java Allows Integrity Manipulation
Publication date: 2026-02-10
Last updated on: 2026-02-17
Assigner: SAP SE
Description
Description
Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | netweaver_application_server_java | 7.50 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
