CRLF Injection vulnerability in SAP NetWeaver Application Server Java

3.4 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

Description

Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected.

Basic Information

ID CVE-2026-23686

Source sap

Published Feb 10, 2026 at 03:02

Affected Product

Vendor SAP_SE

Product SAP NetWeaver Application Server Java

Version LMNWABASICAPPS 7.50

Affected Versions SAP_SE SAP NetWeaver Application Server Java LMNWABASICAPPS 7.50

CWE Classification

CWE-113

References

{
    "lastseen": "",
    "description": "Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected.",
    "published": "2026-02-10T03:02:37.342Z",
    "modified": "2026-02-10T03:02:37.342Z",
    "type": "cve",
    "title": "CRLF Injection vulnerability in SAP NetWeaver Application Server Java",
    "source": "sap",
    "references": "https://me.sap.com/notes/3673213\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-23686",
    "bulletinFamily": "",
    "cwe": [
        "CWE-113"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP NetWeaver Application Server Java LMNWABASICAPPS 7.50",
    "sourceHref": "",
    "cvss": {
        "score": 3.4,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP NetWeaver Application Server Java",
    "version": "LMNWABASICAPPS 7.50",
    "vendor": "SAP_SE",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

CRLF Injection vulnerability in SAP NetWeaver Application Server Java_CVE-2026-23686