Deserialization Vulnerability in SAP NetWeaver JMS Service
CVE-2026-23685

4.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver (jms Service)
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-23685?

A deserialization vulnerability exists in the SAP NetWeaver JMS service, where an authenticated administrator with local access can submit specially crafted content to the server. If this content is processed by the application, it could lead to unintended behavior during internal logic execution, resulting in potential denial of service. While the confidentiality and integrity of the system remains intact, successful exploitation can significantly impact availability.

Affected Version(s)

SAP NetWeaver (JMS service) J2EE-FRMW 7.50

References

https://me.sap.com/notes/3687285

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Jan 14, 2026

CVE-2026-23685 Data

JSON