CVE-2026-24321

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3687771	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:commerce_cloud:2205:::::::*
	cpe:2.3:a:sap:commerce_cloud:2211:::::::*

History

No history.

Information

Published : 2026-02-10 04:16

Updated : 2026-02-17 15:24

NVD link : CVE-2026-24321

Mitre link : CVE-2026-24321

CVE.ORG link : CVE-2026-24321

JSON object : View

Products Affected

sap

commerce_cloud

CWE

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2026-24321", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-02-10T04:16:04.150", "references": [{"url": "https://me.sap.com/notes/3687771", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-359"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability."}, {"lang": "es", "value": "SAP Commerce Cloud expone m\u00faltiples puntos finales de API a usuarios no autenticados, permiti\u00e9ndoles enviar solicitudes a estos puntos finales abiertos para recuperar informaci\u00f3n sensible que no est\u00e1 destinada a ser accesible p\u00fablicamente a trav\u00e9s del front-end. Esta vulnerabilidad tiene un bajo impacto en la confidencialidad y no afecta la integridad y la disponibilidad."}], "lastModified": "2026-02-17T15:24:36.373", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "391FB1C6-1A52-4E53-B042-44D592AEC7A5"}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AC6D6B9-6A5A-4631-B10F-FB95150E1B68"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}