CVE-2026-23686 LOW

CVE-2026-23686: CRLF Injection vulnerability in SAP NetWeaver Application Server Java

Vendor Sap_Se

Product SAP NetWeaver Application Server Java

Weakness CWE-113 · HTTP response splitting

Published February 10, 2026

Last update February 10, 2026

View on NVD All CVEs

CVSS base score

3.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

Description

Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected.

Key dates

Disclosure timeline

February 10, 2026 CVE published

February 10, 2026 Record updated

Identifiers

CVE CVE-2026-23686

CWE CWE-113

CVSS 3.4 / LOW

Affected versions

Vendor Sap_Se

Product SAP NetWeaver Application Server Java

Affected LMNWABASICAPPS 7.50