CVE-2026-24321

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-24321
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://me.sap.com/notes/3687771 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*
cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*
History

17 Feb 2026, 15:24

Type Values Removed Values Added
CPE cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*
cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
First Time Sap commerce Cloud
Sap
References () https://me.sap.com/notes/3687771 - () https://me.sap.com/notes/3687771 - Permissions Required
References () https://url.sap/sapsecuritypatchday - () https://url.sap/sapsecuritypatchday - Vendor Advisory
Summary
  • (es) SAP Commerce Cloud expone múltiples puntos finales de API a usuarios no autenticados, permitiéndoles enviar solicitudes a estos puntos finales abiertos para recuperar información sensible que no está destinada a ser accesible públicamente a través del front-end. Esta vulnerabilidad tiene un bajo impacto en la confidencialidad y no afecta la integridad y la disponibilidad.

10 Feb 2026, 04:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-10 04:16

Updated : 2026-02-17 15:24

NVD link : CVE-2026-24321

Mitre link : CVE-2026-24321

CVE.ORG link : CVE-2026-24321

JSON object : View

Products Affected

sap

  • commerce_cloud
CWE
CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

NVD-CWE-noinfo