SAP AppRouter HTTP request smuggling in Node.js middleware
Unauthenticated HTTP request smuggling in SAP AppRouter — the Node.js middleware fronting Business Technology Platform. NVD scored it 9.1. A crafted request can desynchronize the request-response pipeline, exposing other users' responses and knocking the service offline.
- Vendor
- SAP
- Product
- AppRouter (Node.js middleware for SAP Business Technology Platform)
- CVSS
- 9.1
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
An unauthenticated HTTP request-smuggling flaw in SAP AppRouter, the Node.js middleware component that sits in front of Business Technology Platform tenants and terminates external HTTP traffic before passing it inward. NVD assigns CVSS 3.1 = 9.1 — no authentication, no user interaction, network-reachable.
What the flaw is (per NVD): “Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable.”
Request smuggling in an edge-terminating middleware is a category of bug the wider Node.js ecosystem has been chasing on and off since the class became famous in 2019. The upstream Node HTTP parser has been hardened repeatedly; a fresh 9.1 in a Node-based product in 2026 says the specific hazard here lives in AppRouter’s own code path rather than in a Node core parser mismatch, though the primary source is thin on the exact mechanism and this newsroom does not publish exploitation detail beyond that.
Status: SAP fixed this on the July 2026 Security Patch Day (published 2026-07-14). No known exploitation in the wild at time of writing, per BleepingComputer’s summary of the patch day.
What to do: Apply the July 2026 SAP Security Note that references this CVE from the SAP Support Portal. Because AppRouter is unauthenticated-reachable by definition — it’s the front door — this one gets prioritized over the two other criticals for anyone exposing BTP tenants to the public internet.
- SAP July 2026 Security Patch Day — SAP Support Portal (authenticated).
- BleepingComputer coverage, 2026-07-14.
- NVD entry.
