Description
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.
Published: 2026-02-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, permitting the submission of requests to these open endpoints that return sensitive information not intended for public front‑end access. This vulnerability is a CWE‑359 Information Leak flaw, allowing data disclosure. It results in a low impact on confidentiality and does not compromise integrity or availability.

Affected Systems

The affected vendor is SAP SE and the product is SAP Commerce Cloud, specifically versions 2205 and 2211. The vulnerability is present in those release versions, affecting the identified product stacks.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level, and the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote over the network, where an attacker can send unauthenticated requests to the exposed endpoints and retrieve confidential data.

Generated by OpenCVE AI on April 18, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SAP Security Patch Day update that addresses the exposed API endpoints for SAP Commerce Cloud versions 2205 and 2211.
  • Reconfigure the SAP Commerce Cloud deployment to restrict access to the API endpoints so that only authenticated users can interact with them.
  • Disable or remove any undocumented or unused API endpoints that are not required for normal operation.

Generated by OpenCVE AI on April 18, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*
cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap commerce Cloud
Vendors & Products Sap
Sap commerce Cloud

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.
Title Information Disclosure vulnerability in SAP Commerce Cloud
Weaknesses CWE-359
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sap Commerce Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T17:01:39.830Z

Reserved: 2026-01-21T22:15:36.672Z

Link: CVE-2026-24321

cve-icon Vulnrichment

Updated: 2026-02-10T17:01:27.475Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:04.150

Modified: 2026-02-17T15:24:36.373

Link: CVE-2026-24321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses