CVE-2026-24321
Undergoing Analysis
Undergoing Analysis - In Progress
Unauthorized Information Disclosure via Open APIs in SAP Commerce Cloud
Publication date: 2026-02-10
Last updated on: 2026-02-17
Assigner: SAP SE
Description
Description
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | commerce_cloud | 2211 |
| sap | commerce_cloud | 2205 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability in SAP Commerce Cloud allows unauthenticated users to access multiple API endpoints that are supposed to be restricted. These open endpoints can be used to submit requests and retrieve sensitive information that is not intended to be publicly accessible through the front-end.
How can this vulnerability impact me? :
The vulnerability has a low impact on confidentiality, meaning some sensitive information could be exposed to unauthorized users. However, it does not affect the integrity or availability of the system.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70