Description
Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in SAP Commerce cloud’s Spring Security configuration lets an unauthenticated user perform malicious input injection, resulting in arbitrary server‑side code execution. This misconfiguration, classified as CWE‑459, jeopardizes confidentiality, integrity, and availability of the application, enabling attackers to gain full control of the affected instance.

Affected Systems

Vendors: SAP; Product: SAP Commerce cloud configuration. No specific version ranges are disclosed by the CNA. The vulnerability applies to any deployment of the SAP Commerce cloud configuration that still uses the outdated Spring Security configuration listed in SAP Note 3733064.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity. EPSS score of < 1% indicates a very low probability of exploitation. The flaw allows any network user to target the configuration upload endpoint without authentication and inject malicious content, leading to arbitrary code execution. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can trigger it by sending specially crafted data to the vulnerable endpoint.

Generated by OpenCVE AI on May 15, 2026 at 14:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3733064 to enable authentication checks on the configuration upload endpoint and prevent unauthorized code injection.
  • Validate Spring Security configuration files after patching to confirm that authentication is required for any configuration modification and that least privilege principles are enforced.
  • If patch deployment cannot occur immediately, isolate the configuration management interface behind a firewall or reverse proxy that allows access only from trusted internal IP addresses as a temporary workaround.

Generated by OpenCVE AI on May 15, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application. Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Commerce Cloud Configuration
Vendors & Products Sap Se
Sap Se sap Commerce Cloud Configuration

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Title Missing authentication check in SAP Commerce cloud configuration
Weaknesses CWE-459
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Sap Se Sap Commerce Cloud Configuration
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-15T11:47:04.699Z

Reserved: 2026-03-26T19:02:45.983Z

Link: CVE-2026-34263

cve-icon Vulnrichment

Updated: 2026-05-12T13:36:35.410Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T03:16:11.650

Modified: 2026-05-15T12:17:07.750

Link: CVE-2026-34263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T14:30:46Z

Weaknesses