CVE-2026-24321

MEDIUM

SAP Commerce Cloud - Info Disclosure

Title source: llm

Description

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.

References (2)

[Permissions Required] https://me.sap.com/notes/3687771

[Vendor Advisory] https://url.sap/sapsecuritypatchday

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 16.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-359

Status published

Products (2)

sap/commerce_cloud 2205

sap/commerce_cloud 2211

Published Feb 10, 2026

Tracked Since Feb 18, 2026