CVE-2026-40129: CWE-94: Improper Control of Generation of Code in SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform
CVE-2026-40129 is a code injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker can send specially crafted inputs that, when processed, may execute arbitrary code for other users subscribed to the affected channel. The vulnerability impacts the integrity of the system but does not affect confidentiality or availability. It affects multiple SAP_BASIS versions from 740 through 816. The CVSS score is 4. 3, indicating a medium severity level. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40129) involves improper control of code generation (CWE-94) in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. Authenticated attackers can inject code via specially crafted inputs that are processed and delivered to users subscribed to a channel, potentially allowing arbitrary code execution affecting system integrity. The vulnerability affects a broad range of SAP_BASIS versions (740 to 816). The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, no confidentiality or availability impact, and low integrity impact. No vendor advisory or patch information is currently available.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary code for other users subscribed to the affected channel, impacting system integrity at a low level. There is no impact on confidentiality or availability. The vulnerability does not appear to be actively exploited in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official remediation level or patch links are provided, organizations should monitor SAP security advisories for updates. In the meantime, restrict access to affected SAP_BASIS versions to trusted users only and review application input handling where possible to reduce risk.
CVE-2026-40129: CWE-94: Improper Control of Generation of Code in SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform
Description
CVE-2026-40129 is a code injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker can send specially crafted inputs that, when processed, may execute arbitrary code for other users subscribed to the affected channel. The vulnerability impacts the integrity of the system but does not affect confidentiality or availability. It affects multiple SAP_BASIS versions from 740 through 816. The CVSS score is 4. 3, indicating a medium severity level. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40129) involves improper control of code generation (CWE-94) in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. Authenticated attackers can inject code via specially crafted inputs that are processed and delivered to users subscribed to a channel, potentially allowing arbitrary code execution affecting system integrity. The vulnerability affects a broad range of SAP_BASIS versions (740 to 816). The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, no confidentiality or availability impact, and low integrity impact. No vendor advisory or patch information is currently available.
Potential Impact
Successful exploitation allows an authenticated attacker to execute arbitrary code for other users subscribed to the affected channel, impacting system integrity at a low level. There is no impact on confidentiality or availability. The vulnerability does not appear to be actively exploited in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official remediation level or patch links are provided, organizations should monitor SAP security advisories for updates. In the meantime, restrict access to affected SAP_BASIS versions to trusted users only and review application input handling where possible to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- sap
- Date Reserved
- 2026-04-09T17:29:44.663Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0295aecbff5d8610902bd1
Added to database: 5/12/2026, 2:51:26 AM
Last enriched: 5/12/2026, 3:07:53 AM
Last updated: 5/12/2026, 3:57:05 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.