CRLF Injection in SAP NetWeaver Application Server Java Vulnerability
CVE-2026-23686

3.4LOW

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Java
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-23686?

The CRLF Injection vulnerability in SAP NetWeaver Application Server Java allows authenticated attackers with administrative privileges to inject untrusted input into application-generated configuration files. If exploited, this can lead to unauthorized manipulation of application settings, posing risks to the integrity of the configurations. While the primary impact is on configuration integrity, both confidentiality and availability of the application remain intact.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SAP NetWeaver Application Server Java LMNWABASICAPPS 7.50

References

https://me.sap.com/notes/3673213

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

3.4

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Jan 14, 2026

JSON

SAP