Skip to main content

Sap Commerce Cloud CVE-2026-44761

| EUVDEUVD-2026-43591 CRITICAL
Use of Default Credentials (CWE-1392)
2026-07-14 sap GHSA-7xw7-hxcm-552f
9.1
CVSS 3.1 · Vendor: sap
Share

Severity by source

Vendor (sap) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (sap) · only source for this CVE.

CVSS VectorVendor: sap

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 01:18 vuln.today
CVE Published
Jul 14, 2026 - 00:20 cve.org
CRITICAL 9.1

DescriptionCVE.org

SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data. Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.

AnalysisAI

Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, identify and disable or remove the sample OAuth2 client from all SAP Commerce Cloud environments and audit recent API access logs for unauthorized activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy