The SAP NetWeaver Application Server Java (Web Container) contains a path traversal vulnerability (CWE-35) identified as CVE-2026-40128. An unauthenticated attacker can exploit this by sending a specially crafted HTTP logon request that manipulates file inclusion parameters. This manipulation allows the attacker to traverse directories and include arbitrary files on the local system. Successful exploitation could lead to unauthorized disclosure or modification of sensitive data and potentially disrupt system availability. The affected version is ENGINEAPI 7.50. The vulnerability is rated critical with a CVSS 3.1 base score of 9.0, reflecting network attack vector, high attack complexity, no privileges or user interaction required, and impacts to confidentiality, integrity, and availability. No patch or official remediation level has been published by SAP as of the provided data.

Exploitation of this vulnerability could allow an unauthenticated attacker to access or modify sensitive files on the affected SAP NetWeaver Application Server Java system, potentially leading to data breaches or system disruption. The impact affects confidentiality, integrity, and availability of the system. There are no known exploits in the wild currently, but the high CVSS score indicates a severe risk if exploited.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, organizations should monitor SAP advisories closely for updates. Until a patch is available, consider restricting access to the affected service and applying compensating controls to limit exposure to unauthenticated HTTP requests targeting the Web Container.