Description
A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value which could be checked out. This leads to high impact on data integrity, with no impact on data confidentiality or availability of the application.
Published: 2026-02-10
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity
Action: Patch
AI Analysis

Impact

A race condition in SAP Commerce Cloud allows an attacker to add items to a shopping cart in such a way that the cart entry may contain an incorrect product value. The flaw undermines data integrity, letting users potentially purchase or access an unintended product, but does not expose confidential data or disrupt application availability.

Affected Systems

SAP Commerce Cloud version 2205 and 2211 are susceptible. The vulnerability applies to all instances of the listed editions that have not applied the SAP security patch identified in Note 3689543.

Risk and Exploitability

The CVSS score is 5.9, indicating a medium severity vulnerability, while the EPSS score is less than 1%, suggesting a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote: an attacker performs normal cart operations (adding products) via the public-facing application, causing the race condition to trigger. There is no need for local privileges or privileged access, but the attacker must exploit the timing of the cart addition relative to the internal validation logic. If successful, the attacker could commit fraudulent transactions with incorrect product data.

Generated by OpenCVE AI on April 17, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security advisory referenced by SAP Note 3689543 to patch the race condition in Commerce Cloud
  • Upgrade to the latest available release of SAP Commerce Cloud that includes the fix, such as version 2211 or newer
  • Implement a temporary check that validates the product value in the cart entry before checkout and reject any mismatched items

Generated by OpenCVE AI on April 17, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*
cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap commerce Cloud
Vendors & Products Sap
Sap commerce Cloud

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value which could be checked out. This leads to high impact on data integrity, with no impact on data confidentiality or availability of the application.
Title Race condition vulnerability in SAP Commerce Cloud
Weaknesses CWE-366
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Sap Commerce Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T17:19:50.779Z

Reserved: 2026-01-14T18:26:17.297Z

Link: CVE-2026-23684

cve-icon Vulnrichment

Updated: 2026-02-10T17:19:46.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:02.683

Modified: 2026-02-17T16:04:38.427

Link: CVE-2026-23684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses