Home

Description

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.

PUBLISHED Reserved 2026-01-21 | Published 2026-02-10 | Updated 2026-02-10 | Assigner sap




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Product status

Default status
unaffected

HY_COM 2205
affected

COM_CLOUD 2211
affected

2211-JDK21
affected

References

me.sap.com/notes/3687771

url.sap/sapsecuritypatchday

cve.org (CVE-2026-24321)

nvd.nist.gov (CVE-2026-24321)

Download JSON