CVE-2026-24321 PUBLISHED

Information Disclosure vulnerability in SAP Commerce Cloud

Assigner: sap
Reserved: 21.01.2026 Published: 10.02.2026 Updated: 10.02.2026

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP Commerce Cloud
Versions	Default: unaffected Version HY_COM 2205 is affected Version COM_CLOUD 2211 is affected Version 2211-JDK21 is affected

References

https://me.sap.com/notes/3687771
https://url.sap/sapsecuritypatchday

CVE-2026-24321 PUBLISHED

Information Disclosure vulnerability in SAP Commerce Cloud

Metrics

Product Status

References

Problem Types