CVE-2026-24311 - Vulnerability Details

- Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0

Description

The SAP Customer Checkout application exhibits certain design characteristics that involve locally storing operational data using reversible protection mechanisms. Access to this data, combined with user?initiated interaction, may allow modifications to occur without validation. Such changes could affect system behaviour during startup, resulting in a high impact on the application's confidentiality and integrity, with a low impact on availability.

Published: 2026-03-10

Score: 5.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from the SAP Customer Checkout application storing operational data locally with reversible protection mechanisms. When a user initiates certain interactions, those operations can modify the stored data without proper validation, allowing unauthorized changes that can affect system behavior during startup. This scenario compromises the application's confidentiality and integrity, but has a low impact on availability.

Affected Systems

SAP Customer Checkout 2.0. No specific version details are provided, so all releases of this product are potentially affected until an official patch becomes available.

Risk and Exploitability

The CVSS score is 5.6, indicating a moderate severity. The EPSS score is less than 1%, suggesting that the likelihood of exploitation in the near term is low. The vulnerability is not listed in the CISA KEV catalog, further supporting a lower risk posture. The attack can be performed by a user who can trigger the local data modification flow, typically through the application’s user interface, implying that the primary vector is a local or user-initiated interaction.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP Customer Checkout 2.0

unaffected

Version	Status	Constraints
`SAP_CUSTOMER_CHECKOUT 2.0`	affected	—

No data.

Vendor Product Confidence Versions

Sap Se

Sap Customer Checkout 2.0

100%

Version	Status	Scheme	Platform
`SAP_CUSTOMER_CHECKOUT 2.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest available patch or upgrade SAP Customer Checkout to a version that resolves reversible storage handling.
Restrict user privileges that allow initiating the modification flow, ensuring only authorized personnel can trigger such actions.
Configure or enforce stronger storage protection, such as using encryption or non‑reversible hashing for operational data, to prevent unauthorized tampering.
Monitor application logs for unexpected changes to operational data during startup and set alerts for suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Physical

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://me.sap.com/notes/3708457
https://url.sap/sapsecuritypatchday

History

Tue, 10 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Customer Checkout 2.0
Vendors & Products		Sap Se Sap Se sap Customer Checkout 2.0

Tue, 10 Mar 2026 00:45:00 +0000

Type	Values Removed	Values Added
Description		The SAP Customer Checkout application exhibits certain design characteristics that involve locally storing operational data using reversible protection mechanisms. Access to this data, combined with user?initiated interaction, may allow modifications to occur without validation. Such changes could affect system behaviour during startup, resulting in a high impact on the application's confidentiality and integrity, with a low impact on availability.
Title		Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0
Weaknesses		CWE-312
References		https://me.sap.com/notes/3708457 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L'}`

Subscriptions

Sap Se Sap Customer Checkout 2.0

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-03-10T00:17:30.184Z

Updated: 2026-03-10T16:53:26.731Z

Reserved: 2026-01-21T22:15:25.361Z

Link: CVE-2026-24311

Vulnrichment

Updated: 2026-03-10T15:39:54.737Z

NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:35:55.360

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-24311

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses

CWE-312

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object