CVE-2026-40129
Received Received - Intake
Code Injection in SAP Application Server ABAP

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: SAP SE

Description
Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-40129
EUVD
EUVD-2026-29361
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap application_server_abap *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Code Injection issue in the SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker can send specially crafted inputs to the application. If these inputs are processed and delivered to users subscribed to a channel, it could lead to execution of arbitrary code on behalf of other users.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to apply the latest security patches provided by SAP for the Application Server ABAP and ABAP Platform.

You can regularly check SAP Security Notes and apply relevant updates as soon as they are released to address this code injection vulnerability.

Ensure that only authenticated and authorized users have access to the affected SAP components to reduce the risk of exploitation.

Impact Analysis

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code as other users, which impacts the integrity of the system. However, it does not affect the confidentiality or availability of the system. The overall impact is considered low.

Compliance Impact

The vulnerability results in a low impact on integrity with no impact on confidentiality or availability. Since it does not affect confidentiality, it is unlikely to directly cause breaches of data protection regulations such as GDPR or HIPAA that primarily focus on protecting personal and sensitive data confidentiality and availability.

However, any code injection vulnerability could potentially be a concern for compliance if exploited to alter data or system behavior, but based on the provided information, this vulnerability's impact is limited and does not indicate direct compliance violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart