Skip to main content
Mallory
Back to vulnerabilities
Critical

Path Traversal in SAP NetWeaver Application Server Java Web Container

IdentifiersCVE-2026-40128CWE-35· Path Traversal: '.../...//'

CVE-2026-40128 affects SAP NetWeaver Application Server Java in the Web Container component. The vulnerability allows an unauthenticated attacker to send a crafted HTTP logon request that manipulates file inclusion parameters, resulting in path traversal and subsequent processing of the included file. Based on the provided information, the flaw is reachable over the network without authentication or user interaction. Successful exploitation depends on supplying a malicious request that causes the application to include and process an unintended local file.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker to view sensitive information, modify sensitive information, or render parts of the local system unavailable. The provided CVSS v3.1 vector (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates high potential impact to confidentiality, integrity, and availability, with scope changed.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the SAP NetWeaver Application Server Java Web Container to untrusted networks, restrict access to HTTP logon endpoints to trusted sources only, and monitor for suspicious crafted logon requests that manipulate file inclusion parameters or attempt path traversal sequences. Additional compensating controls may include WAF rules or reverse-proxy filtering for traversal patterns and anomalous inclusion-related parameters, though these should be treated only as temporary mitigations until the SAP fix is applied.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fix referenced by SAP Note 3727078 and follow SAP Security Patch Day guidance for CVE-2026-40128. Upgrade or patch the affected SAP NetWeaver Application Server Java Web Container to the vendor-remediated version as specified by SAP.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
security online infoNews
Jun 9, 2026
SAP Security Patch Day: Critical Security Vulnerabilities

A directory traversal vulnerability in the Java Web Container that allows an anonymous attacker to manipulate file inclusion parameters via malicious HTTP logon requests, potentially accessing or modifying protected logs and causing host unavailability.

Read more
cvefeed high severityNews
Jun 9, 2026
CVE-2026-40128 - Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)

A path traversal and file inclusion vulnerability in SAP NetWeaver Application Server Java (Web Container) that allows an unauthenticated attacker to manipulate HTTP logon request file inclusion parameters, potentially leading to viewing or modifying sensitive information or causing denial of service.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-40128
NVD
nvd.nist.gov/vuln/detail/CVE-2026-40128
MITRE CWE · CWE-35
Path Traversal: '.../...//'
me.sap.com
me.sap.com/notes/3727078
url.sap
url.sap/sapsecuritypatchday