Description
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3687771
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
5.3
EPSS
0.0021
EPSS Percentile
11.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-359
Status
published
Products (2)
sap/commerce_cloud
2205
sap/commerce_cloud
2211
Published
Feb 10, 2026
Tracked Since
Feb 18, 2026