CVE-2026-40129
CWE-94Published: May 12, 2026· Updated: May 12, 2026
Official Description
Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.
Technical Analysis
CVE-2026-40129 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-94)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-40129 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts