Skip to main content

SAP Commerce Cloud EUVDEUVD-2026-29372

| CVE-2026-34263 CRITICAL
Incomplete Cleanup (CWE-459)
2026-05-12 sap GHSA-wxxf-gjw8-32x8
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:20 nvd
CRITICAL 9.6

DescriptionCVE.org

Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

AnalysisAI

Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064.

Technical ContextAI

SAP Commerce Cloud is an enterprise e-commerce platform built on Java and Spring Framework. This vulnerability stems from CWE-459 (Incomplete Cleanup), manifesting as improper Spring Security configuration that fails to enforce authentication controls on configuration upload endpoints. Spring Security is the de-facto authentication and authorization framework for Java applications, and misconfigurations can expose administrative functions to unauthorized access. The affected component (cpe:2.3:a:sap_se:sap_commerce_cloud_configuration) specifically handles configuration management operations. When Spring Security is improperly configured, it may allow unauthenticated HTTP requests to bypass security filters, enabling attackers to upload malicious configuration files that the application processes without validation, leading to code injection and arbitrary execution within the application server context.

RemediationAI

Apply the vendor-released security patch detailed in SAP Security Note 3733064, accessible at https://me.sap/notes/3733064 (requires SAP Support Portal credentials). Refer to SAP Security Patch Day advisory at https://url.sap/sapsecuritypatchday for complete patch deployment guidance and version-specific instructions. If immediate patching is not feasible, implement compensating controls: restrict network access to SAP Commerce Cloud configuration endpoints to trusted IP ranges only via firewall rules or web application firewall (WAF) policies; disable or restrict configuration upload functionality if not operationally required (note: may impact administrative workflows); implement additional authentication layers such as mutual TLS or VPN access for configuration management interfaces; enable comprehensive logging and monitoring for configuration upload attempts from unexpected sources. These workarounds reduce attack surface but do not eliminate the underlying Spring Security misconfiguration - patching remains the definitive remediation.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-29372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy