CVE-2026-23684 PUBLISHED

Race condition vulnerability in SAP Commerce Cloud

Assigner: sap
Reserved: 14.01.2026 Published: 10.02.2026 Updated: 10.02.2026

A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value which could be checked out. This leads to high impact on data integrity, with no impact on data confidentiality or availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP Commerce Cloud
Versions	Default: unaffected Version HY_COM 2205 is affected Version COM_CLOUD 2211 is affected Version 2211-JDK21 is affected

References

https://me.sap.com/notes/3689543
https://url.sap/sapsecuritypatchday

CVE-2026-23684 PUBLISHED

Race condition vulnerability in SAP Commerce Cloud

Metrics

Product Status

References

Problem Types