Deserialization Vulnerability in SAP NetWeaver JMS Service
CVE-2026-23685

4.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver (jms Service)
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-23685?

A deserialization vulnerability exists in the SAP NetWeaver JMS service, where an authenticated administrator with local access can submit specially crafted content to the server. If this content is processed by the application, it could lead to unintended behavior during internal logic execution, resulting in potential denial of service. While the confidentiality and integrity of the system remains intact, successful exploitation can significantly impact availability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SAP NetWeaver (JMS service) J2EE-FRMW 7.50

References

https://me.sap.com/notes/3687285

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Jan 14, 2026

JSON

SAP

What is CVE-2026-23685?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.