CRLF Injection in SAP NetWeaver Application Server Java Vulnerability
CVE-2026-23686

3.4LOW

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Java
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-23686?

The CRLF Injection vulnerability in SAP NetWeaver Application Server Java allows authenticated attackers with administrative privileges to inject untrusted input into application-generated configuration files. If exploited, this can lead to unauthorized manipulation of application settings, posing risks to the integrity of the configurations. While the primary impact is on configuration integrity, both confidentiality and availability of the application remain intact.

Affected Version(s)

SAP NetWeaver Application Server Java LMNWABASICAPPS 7.50

References

https://me.sap.com/notes/3673213

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

3.4

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Jan 14, 2026

CVE-2026-23686 Data

JSON