CVE-2026-23685
MEDIUMSAP NetWeaver - Authenticated Denial of Service via JMS Service Deserialization
Title source: llmDescription
Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3687285
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
4.4
EPSS
0.0012
EPSS Percentile
2.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-502
Status
published
Products (1)
sap/netweaver
7.50
Published
Feb 10, 2026
Tracked Since
Feb 18, 2026