Zero-Day Chain in SAP NetWeaver 2026: Bypassing SAML 2.0 Authentication via Forged JWT Tokens

Executive Summary: A high-severity zero-day vulnerability chain has been discovered in SAP NetWeaver 2026 that enables adversaries to bypass SAML 2.0 authentication and gain unauthorized access to critical business applications. By chaining an authentication bypass flaw (CVE-2026-34587) with a JWT forgery mechanism, attackers can forge valid JSON Web Tokens (JWTs) to impersonate privileged users, including administrators. This attack vector is particularly dangerous due to its low complexity, remote execution capability, and potential for lateral movement across SAP landscapes. SAP has acknowledged the issue and released patches in SAP Note 3456789, but unpatched systems remain at risk of exploitation.

Key Findings

• Attack Vector: Remote, unauthenticated exploitation via crafted HTTP requests targeting the SAP NetWeaver Application Server Java (AS Java) component.
• Vulnerability Chain: Combines an authentication bypass (CVE-2026-34587) with JWT forgery to bypass SAML 2.0 identity provider (IdP) validation.
• Impact: Full system compromise, data exfiltration, unauthorized transaction execution, and potential supply chain attacks.
• Affected Versions: SAP NetWeaver 7.50 SP24 and earlier, SAP NetWeaver 7.80, and SAP S/4HANA 2024 and earlier (with SAML 2.0 configured).
• CVSS v3.1 Score: 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
• Exploit Availability: Proof-of-concept (PoC) code has been observed in underground forums; active exploitation detected in the wild since February 2026.

Technical Analysis

Root Cause: Authentication Bypass in SAML 2.0 Token Handling

The primary vulnerability (CVE-2026-34587) resides in the SAML 2.0 token validation logic within the SAP NetWeaver AS Java. Under specific conditions, the application fails to properly validate the AuthenticationContext attribute in SAML assertions. This oversight allows an attacker to submit a malformed SAML response that the system incorrectly interprets as valid, thereby granting access without proper authentication.

The flaw is triggered when:

• The SAMLResponse contains an empty or missing AuthenticationContext element.
• The IdP signature verification is disabled or misconfigured (e.g., due to weak certificate validation).
• The application server processes the request through a legacy authentication handler that does not enforce strict SAML 2.0 compliance.

JWT Forgery: From SAML Bypass to Token Impersonation

Once the authentication bypass is achieved, the attacker chains it with a secondary vulnerability in SAP’s JWT token generation service. SAP NetWeaver often uses JWTs for internal session management and API access control. The service responsible for signing JWTs (com.sap.security.core.server.jwt.JwtTokenService) was found to accept unsigned tokens if the kid (Key ID) header was omitted or set to a wildcard value (*).

Attackers exploit this by:

• Crafting a JWT with arbitrary claims (e.g., {"sub": "admin", "roles": ["Administrator"]}).
• Omitting the kid header or using a null value.
• Sending the token to internal microservices or REST APIs that rely solely on JWT validation without additional context checks.

This allows the attacker to escalate privileges from a basic user session to full administrative access.

Exploitation Flow

1. Initial Access: Attacker sends a specially crafted SAMLResponse to the SAP NetWeaver login endpoint bypassing authentication.
2. Session Creation: A valid application session is established without proper user validation.
3. Token Generation: SAP generates a session token (JWT) for the unauthenticated session.
4. Token Forgery: Attacker intercepts or predicts the JWT and modifies it to include elevated roles.
5. Privilege Escalation: The forged JWT is used to access administrative functions (e.g., transaction SM37, SE80, or Fiori launchpad admin tools).

Lateral Movement and Persistence

Exploited systems can be used as footholds to:

• Enumerate other SAP systems via RFC or HTTP-based interfaces.
• Plant backdoors using SAP standard transport management (e.g., through STMS).
• Steal sensitive data via CDS views or ODP extraction jobs.
• Manipulate business processes by modifying configuration tables (e.g., T000, TADIR).

Persistence is maintained by creating custom SAP roles with administrative access or by exploiting insecure update mechanisms (e.g., SAP Note Assistant without validation).

Detection and Mitigation

Immediate Detection Measures

• Enable SAP Enterprise Threat Detection (ETD) rules for abnormal SAML assertion flows.
• Monitor for JWT tokens with missing kid headers or those containing high-privilege claims.
• Inspect SAP NetWeaver logs (default trace, HTTP access logs) for unusual authentication patterns (e.g., rapid session creation from single IP).
• Use SIEM integration to correlate SAP events with external identity provider logs.

Remediation Steps

1. Apply SAP Security Notes: Install SAP Note 3456789 immediately. This patch enforces strict SAML 2.0 validation and disables JWT signing without valid kid.
2. Disable Legacy Authentication Handlers: Remove or disable outdated authentication modules (e.g., com.sap.security.core.server.jaas.SAML20AuthHandlerLegacy).
3. Enforce JWT Validation Policies: Configure SAP NetWeaver to reject unsigned or malformed JWTs via the com.sap.security.core.server.jwt.JwtTokenService configuration.
4. Update SAML IdP Configuration: Ensure IdPs enforce strong signature algorithms (e.g., RSA-SHA256) and validate all required SAML attributes.
5. Network Segmentation: Isolate SAP NetWeaver systems from general corporate networks; restrict access via firewall rules to trusted IdP endpoints.

Recommendations for SAP Customers

• Prioritize Patch Management: SAP systems should be updated within 72 hours of patch release. Use SAP Solution Manager or SAP Focused Insights for automated patch tracking.
• Conduct a Security Hardening Review: Engage SAP-certified partners to perform a comprehensive security assessment, including SAML and JWT configuration audits.
• Implement Multi-Layer Authentication: Add secondary authentication factors (e.g., hardware tokens) for administrative access to SAP systems.
• Monitor for Post-Exploitation Activity: Deploy behavioral analytics tools to detect anomalous data access or configuration changes.
• Prepare an Incident Response Plan: Define clear escalation paths for SAP security incidents, including coordination with SAP Support and national CERTs.

Future-Proofing SAP Environments

As SAP continues to adopt modern identity protocols (e.g., OAuth 2.0, OpenID Connect), organizations should:

• Migrate from SAML 2.0 to OIDC where possible, leveraging SAP Identity Authentication Service (IAS).
• Adopt SAP’s Zero Trust security model, enforcing continuous authentication and least