Details of VAR-202602-2339

ID

VAR-202602-2339

CVE

CVE-2026-23685

TITLE

SAP of SAP NetWeaver Untrusted Data Deserialization Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-003955

DESCRIPTION

Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected. Information handled by the software will not be rewritten. In addition, the software may stop functioning completely. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-23685 // JVNDB: JVNDB-2026-003955

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.50	Trust: 1.8
vendor:	sap	model:	netweaver	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-003955 // NVD: CVE-2026-23685

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@sap.com:	CVE-2026-23685
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2026-003955
value:	MEDIUM
Trust: 0.8

cna@sap.com:	CVE-2026-23685
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	3.6
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-003955
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-003955 // NVD: CVE-2026-23685

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.0
problemtype:	Deserialization of untrusted data (CWE-502) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-003955 // NVD: CVE-2026-23685

PATCH

title:

SAP Security Notes & News

url:

https://url.sap/sapsecuritypatchday

Trust: 0.8

sources: JVNDB: JVNDB-2026-003955

EXTERNAL IDS

db:	NVD	id:	CVE-2026-23685	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-003955	Trust: 0.8

sources: JVNDB: JVNDB-2026-003955 // NVD: CVE-2026-23685

REFERENCES

url:	https://url.sap/sapsecuritypatchday	Trust: 1.0
url:	https://me.sap.com/notes/3687285	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-23685	Trust: 0.8

sources: JVNDB: JVNDB-2026-003955 // NVD: CVE-2026-23685

SOURCES

db:	JVNDB	id:	JVNDB-2026-003955
db:	NVD	id:	CVE-2026-23685

LAST UPDATE DATE

2026-02-22T23:53:53.716000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-003955	date:	2026-02-19T06:25:00
db:	NVD	id:	CVE-2026-23685	date:	2026-02-17T16:04:13.617

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-003955	date:	2026-02-19T00:00:00
db:	NVD	id:	CVE-2026-23685	date:	2026-02-10T04:16:02.850