Description
Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improperly configured Spring Security component in SAP Commerce cloud permits an unauthenticated user to upload malicious configuration files and inject code, leading to arbitrary server‑side code execution. This flaw, classified as CWE‑459, compromises confidentiality, integrity, and availability of the application, enabling attackers to gain full control of the affected instance.

Affected Systems

Vendors: SAP; Product: SAP Commerce cloud configuration. No specific version ranges are disclosed by the CNA. The vulnerability applies to any deployment of the SAP Commerce cloud configuration that still uses the outdated Spring Security configuration listed in SAP Note 3733064.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity. EPSS data is unavailable, but the flaw can be exploited by anyone over the network without authentication, making it highly likely to be attacked. The vulnerability is not currently listed in the CISA KEV catalog, but its impact and critical score warrant immediate attention. Attackers can target the configuration upload endpoint directly, upload a malicious payload and trigger arbitrary code execution.

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3733064 to enable authentication checks on the configuration upload endpoint and prevent unauthorized code injection.
  • Validate Spring Security configuration files after patching to confirm that authentication is required for any configuration modification and that least privilege principles are enforced.
  • If patch deployment cannot occur immediately, isolate the configuration management interface behind a firewall or reverse proxy that allows access only from trusted internal IP addresses as a temporary workaround.

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Commerce Cloud Configuration
Vendors & Products Sap Se
Sap Se sap Commerce Cloud Configuration

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Title Missing authentication check in SAP Commerce cloud configuration
Weaknesses CWE-459
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Sap Se Sap Commerce Cloud Configuration
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T02:20:34.380Z

Reserved: 2026-03-26T19:02:45.983Z

Link: CVE-2026-34263

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T03:16:11.650

Modified: 2026-05-12T03:16:11.650

Link: CVE-2026-34263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:05Z

Weaknesses