Skip to main content

Sap Commerce Cloud

1 CVEs product

Monthly

CVE-2026-44761 CRITICAL NEWS Act Now

Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed.

SAP Information Disclosure Sap Commerce Cloud
NVD
CVSS 3.1
9.1
EPSS
0.4%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed.

SAP Information Disclosure Sap Commerce Cloud
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy