ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-40128 — Critical Unauthenticated Path Traversal in SAP NetWeaver AS Java Web Container

A short review of CVE-2026-40128, a CVSS 9.0 unauthenticated path traversal vulnerability in the SAP NetWeaver Application Server Java Web Container that enables file inclusion via crafted HTTP logon requests, with potential for data disclosure, modification, and denial of service.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

Brief Summary: CVE-2026-40128 — Critical Unauthenticated Path Traversal in SAP NetWeaver AS Java Web Container
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated path traversal flaw in the SAP NetWeaver Application Server Java Web Container allows any network reachable attacker to manipulate file inclusion parameters in HTTP logon requests, potentially reading sensitive files, modifying data, or disrupting system availability. With a CVSS score of 9.0 and no authentication requirement, CVE-2026-40128 lands squarely in the category of SAP NetWeaver Java vulnerabilities that have historically attracted rapid exploitation by both ransomware operators and state sponsored threat groups.

Technical Information

Root Cause: CWE-35 Path Traversal via Collapse Bypass

CVE-2026-40128 is classified under CWE-35: Path Traversal: '.../...//', a weakness class that exploits a subtle flaw in sequential input sanitization. When a security filter removes occurrences of "../" one pass at a time, the crafted string '.../...//' collapses into the canonical "../" traversal sequence after the first stripping pass. This is formally linked to CWE-182 (Collapse of Data into Unsafe Value), where the sanitization logic itself produces the dangerous output.

The vulnerability resides specifically in the Web Container component of SAP NetWeaver Application Server Java. The Web Container handles HTTP request processing, including authentication and logon flows, making it a foundational component of the SAP Java stack.

Attack Flow

The exploitation sequence, based on the NVD description and CWE-35 mechanics, proceeds as follows:

  1. Craft a malicious HTTP logon request. The attacker sends an unauthenticated HTTP request to the SAP NetWeaver AS Java Web Container's logon endpoint. No credentials, session tokens, or prior access are required.

  2. Inject path traversal sequences into file inclusion parameters. The logon request contains manipulated parameters that control file inclusion behavior. The attacker injects sequences such as '.../...//' (or URL encoded variants) into these parameters. The Web Container's input validation, if it relies on sequential stripping of "../", fails to neutralize the collapsed traversal.

  3. Resolve a file path outside the intended directory. After the sanitization routine processes the input, the resulting path resolves to a location outside the restricted application directory. The attacker can target arbitrary files on the local filesystem.

  4. Process the included file. The Web Container processes the traversed file rather than simply serving its raw contents. This processing step is what elevates the impact beyond pure information disclosure. Depending on the file targeted, the attacker can:

    • View sensitive information such as configuration files, credentials, or application data (confidentiality impact).
    • Modify data through the file processing mechanism (integrity impact).
    • Render system components unavailable by targeting files critical to system operation (availability impact).

This creates a full CIA triad compromise scenario from a single unauthenticated HTTP request.

Comparison with Prior SAP NetWeaver Java Path Traversal Vulnerabilities

The following table contextualizes CVE-2026-40128 within the lineage of SAP NetWeaver Java path traversal and access control vulnerabilities:

CVEComponentWeaknessCVSSExploitation Status
CVE-2020-6286LM Configuration WizardPath Traversal10.0Exploited in the wild
CVE-2025-31324Visual Composer Metadata UploaderMissing Auth + Deserialization10.0Actively exploited by APT and ransomware groups
CVE-2026-40128Web Container (HTTP Logon)Path Traversal (CWE-35) + File Inclusion9.0No confirmed exploitation as of publication

CVE-2020-6286 exploited path traversal for file download (confidentiality only). CVE-2025-31324 combined missing authorization with deserialization for remote code execution. CVE-2026-40128 occupies a middle ground: path traversal combined with file inclusion enables viewing, modification, and denial of service, but does not directly provide remote code execution based on available information.

Information Gaps

Several technical details were not available from public sources at the time of analysis:

  • Specific affected version ranges of SAP NetWeaver AS Java
  • The full CVSS vector string (the NVD record had not yet been enriched)
  • The exact file inclusion parameters that can be manipulated
  • Detailed exploit prerequisites beyond unauthenticated network access

Affected Systems and Versions

The affected component is the Web Container of SAP NetWeaver Application Server Java. Specific version ranges were not disclosed in the NVD entry or publicly available SAP advisories at the time of publication. SAP Security Note 3727078 contains the authoritative list of affected versions and is accessible through the SAP Support Portal.

The Web Container is a core component of the SAP NetWeaver Java stack. Onapsis Research Labs has identified more than 10,000 internet facing SAP applications, and the Visual Composer component (a related but less fundamental Java component) was estimated to be deployed in 50% to 70% of SAP Java systems. The Web Container's deployment footprint is likely comparable or larger given its role as a foundational middleware layer.

Vendor Security History

SAP's NetWeaver Java stack has a documented pattern of path traversal and access control vulnerabilities:

CVE-2020-6286 (CVSS 10.0): A path traversal vulnerability in the LM Configuration Wizard of SAP NetWeaver AS Java allowed unauthenticated attackers to download arbitrary files. This vulnerability was widely exploited and prompted US-CERT alerts.

CVE-2025-31324 (CVSS 10.0): A missing authorization check in the Visual Composer Metadata Uploader was actively exploited as a zero day by multiple threat actor groups, including Russian ransomware operators (BianLian, RansomEXX/Storm-2460), the Qilin ransomware as a service operation, and the China nexus APT group Earth Lamia. Exploitation began approximately one month before SAP's public disclosure.

SAP Note 3476549: A directory traversal vulnerability in SAP NetWeaver AS Java affecting specific URLs starting with /scheduler/ui/js/.

CVE-2025-42937: A critical path traversal vulnerability in the SAP Print Service enabling file disclosure and credential theft.

The recurrence of path traversal vulnerabilities in the NetWeaver Java stack suggests that the Web Container's file handling and input validation architecture has systemic weaknesses that extend beyond individual point patches.

SAP's monthly Security Patch Day program has consistently included critical severity notes in 2026. March 2026 included 15 new notes with 2 critical, April 2026 had 19 new notes with 1 critical, and May 2026 included 15 notes. CVE-2026-40128 was released as part of the June 9, 2026 patch day.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization