Description
SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data. Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.
Published: 2026-07-14
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from SAP Commerce Cloud retaining a sample OAuth2 client that includes publicly documented credentials provided as part of sample configuration in SAP Help Portal. These credentials are well known, and if the sample client is left unchanged, an unauthenticated attacker can use them to obtain a valid access token. With an access token, the attacker can call specific APIs to read and modify data stored in the Commerce application. This results in significant loss of confidentiality and integrity of data; availability remains unaffected.

Affected Systems

Affected systems are installations of SAP Commerce Cloud that still contain the default sample OAuth2 client configuration. The exact product versions are not enumerated in the advisory; however, any deployment that has not removed or updated the sample credentials from its configuration can potentially be vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likelihood of exploitation is high if default credentials remain in place, as no authentication is required to activate the attack path. An attacker simply needs network access to the OAuth2 endpoint and the knowledge of the well‑known credentials to obtain a token and proceed with API calls. There are no special prerequisites beyond the presence of the default sample client.

Generated by OpenCVE AI on July 14, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace or remove the default OAuth2 client and its credentials from SAP Commerce Cloud configuration.
  • Apply the SAP SE SAP Commerce patch referenced in the advisory (Note 3753495) to eliminate the default sample credentials.
  • Validate that no sample OAuth2 client remains and that all client credentials are unique and secure.
  • If a patch is not immediately available, temporarily disable or restrict access to the OAuth2 authentication endpoint or block the sample credentials at the network level.
  • Continuously monitor authentication logs for attempts to use the default sample credentials.

Generated by OpenCVE AI on July 14, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Description SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data. Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.
Title Insecure Sample Credentials in SAP Commerce Cloud
Weaknesses CWE-1392
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-07-14T12:49:21.374Z

Reserved: 2026-05-07T18:31:04.067Z

Link: CVE-2026-44761

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T13:00:04Z

Weaknesses