Introduction
An unauthenticated path traversal flaw in the SAP NetWeaver Application Server Java Web Container allows any network reachable attacker to manipulate file inclusion parameters in HTTP logon requests, potentially reading sensitive files, modifying data, or disrupting system availability. With a CVSS score of 9.0 and no authentication requirement, CVE-2026-40128 lands squarely in the category of SAP NetWeaver Java vulnerabilities that have historically attracted rapid exploitation by both ransomware operators and state sponsored threat groups.
Technical Information
Root Cause: CWE-35 Path Traversal via Collapse Bypass
CVE-2026-40128 is classified under CWE-35: Path Traversal: '.../...//', a weakness class that exploits a subtle flaw in sequential input sanitization. When a security filter removes occurrences of "../" one pass at a time, the crafted string '.../...//' collapses into the canonical "../" traversal sequence after the first stripping pass. This is formally linked to CWE-182 (Collapse of Data into Unsafe Value), where the sanitization logic itself produces the dangerous output.
The vulnerability resides specifically in the Web Container component of SAP NetWeaver Application Server Java. The Web Container handles HTTP request processing, including authentication and logon flows, making it a foundational component of the SAP Java stack.
Attack Flow
The exploitation sequence, based on the NVD description and CWE-35 mechanics, proceeds as follows:
-
Craft a malicious HTTP logon request. The attacker sends an unauthenticated HTTP request to the SAP NetWeaver AS Java Web Container's logon endpoint. No credentials, session tokens, or prior access are required.
-
Inject path traversal sequences into file inclusion parameters. The logon request contains manipulated parameters that control file inclusion behavior. The attacker injects sequences such as '.../...//' (or URL encoded variants) into these parameters. The Web Container's input validation, if it relies on sequential stripping of "../", fails to neutralize the collapsed traversal.
-
Resolve a file path outside the intended directory. After the sanitization routine processes the input, the resulting path resolves to a location outside the restricted application directory. The attacker can target arbitrary files on the local filesystem.
-
Process the included file. The Web Container processes the traversed file rather than simply serving its raw contents. This processing step is what elevates the impact beyond pure information disclosure. Depending on the file targeted, the attacker can:
- View sensitive information such as configuration files, credentials, or application data (confidentiality impact).
- Modify data through the file processing mechanism (integrity impact).
- Render system components unavailable by targeting files critical to system operation (availability impact).
This creates a full CIA triad compromise scenario from a single unauthenticated HTTP request.
Comparison with Prior SAP NetWeaver Java Path Traversal Vulnerabilities
The following table contextualizes CVE-2026-40128 within the lineage of SAP NetWeaver Java path traversal and access control vulnerabilities:
| CVE | Component | Weakness | CVSS | Exploitation Status |
|---|---|---|---|---|
| CVE-2020-6286 | LM Configuration Wizard | Path Traversal | 10.0 | Exploited in the wild |
| CVE-2025-31324 | Visual Composer Metadata Uploader | Missing Auth + Deserialization | 10.0 | Actively exploited by APT and ransomware groups |
| CVE-2026-40128 | Web Container (HTTP Logon) | Path Traversal (CWE-35) + File Inclusion | 9.0 | No confirmed exploitation as of publication |
CVE-2020-6286 exploited path traversal for file download (confidentiality only). CVE-2025-31324 combined missing authorization with deserialization for remote code execution. CVE-2026-40128 occupies a middle ground: path traversal combined with file inclusion enables viewing, modification, and denial of service, but does not directly provide remote code execution based on available information.
Information Gaps
Several technical details were not available from public sources at the time of analysis:
- Specific affected version ranges of SAP NetWeaver AS Java
- The full CVSS vector string (the NVD record had not yet been enriched)
- The exact file inclusion parameters that can be manipulated
- Detailed exploit prerequisites beyond unauthenticated network access
Affected Systems and Versions
The affected component is the Web Container of SAP NetWeaver Application Server Java. Specific version ranges were not disclosed in the NVD entry or publicly available SAP advisories at the time of publication. SAP Security Note 3727078 contains the authoritative list of affected versions and is accessible through the SAP Support Portal.
The Web Container is a core component of the SAP NetWeaver Java stack. Onapsis Research Labs has identified more than 10,000 internet facing SAP applications, and the Visual Composer component (a related but less fundamental Java component) was estimated to be deployed in 50% to 70% of SAP Java systems. The Web Container's deployment footprint is likely comparable or larger given its role as a foundational middleware layer.
Vendor Security History
SAP's NetWeaver Java stack has a documented pattern of path traversal and access control vulnerabilities:
CVE-2020-6286 (CVSS 10.0): A path traversal vulnerability in the LM Configuration Wizard of SAP NetWeaver AS Java allowed unauthenticated attackers to download arbitrary files. This vulnerability was widely exploited and prompted US-CERT alerts.
CVE-2025-31324 (CVSS 10.0): A missing authorization check in the Visual Composer Metadata Uploader was actively exploited as a zero day by multiple threat actor groups, including Russian ransomware operators (BianLian, RansomEXX/Storm-2460), the Qilin ransomware as a service operation, and the China nexus APT group Earth Lamia. Exploitation began approximately one month before SAP's public disclosure.
SAP Note 3476549: A directory traversal vulnerability in SAP NetWeaver AS Java affecting specific URLs starting with /scheduler/ui/js/.
CVE-2025-42937: A critical path traversal vulnerability in the SAP Print Service enabling file disclosure and credential theft.
The recurrence of path traversal vulnerabilities in the NetWeaver Java stack suggests that the Web Container's file handling and input validation architecture has systemic weaknesses that extend beyond individual point patches.
SAP's monthly Security Patch Day program has consistently included critical severity notes in 2026. March 2026 included 15 new notes with 2 critical, April 2026 had 19 new notes with 1 critical, and May 2026 included 15 notes. CVE-2026-40128 was released as part of the June 9, 2026 patch day.
References
- NVD: CVE-2026-40128
- SAP Security Note 3727078
- SAP Security Patch Day Portal
- SAP Security Notes and News
- ASUG: What's New From SAP Security Patch June 2026
- CWE-35: Path Traversal '.../...//'
- Plexicus: CWE-35 Path Traversal Analysis
- Onapsis: CVE-2025-31324 SAP Zero Day Full Threat Analysis
- Onapsis: New Exploit for Critical SAP Vulnerability CVE-2025-31324
- Rapid7: Active Exploitation of SAP NetWeaver Visual Composer CVE-2025-31324
- SentinelOne: CVE-2020-6286 SAP NetWeaver Java Path Traversal
- Cybersecurity Dive: Critical Vulnerability in SAP NetWeaver Under Threat
- SAP NetWeaver AS Java Directory Traversal (SAP Note 3476549)
- Zeropath: CVE-2025-42937 SAP Print Service Path Traversal
- CSA Singapore: Critical Vulnerabilities in SAP
- OpenCVE: SAP NetWeaver Application Server Java CVEs
- SecurityBridge: SAP Patch Day Advisories
- ThreatDown: What is a Path Traversal Vulnerability



