CVE-2026-34263
Improper Spring Security Configuration Leads to Code Injection in SAP Commerce Cloud
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | commerce_cloud | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-459 | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability arises from improper configuration of Spring Security in SAP Commerce cloud. It allows an unauthenticated user to upload malicious configurations and inject code into the system.
As a result, the attacker can execute arbitrary server-side code, which means they can run any commands or programs on the server without authorization.
How can this vulnerability impact me? :
The vulnerability can have a high impact on the Confidentiality, Integrity, and Availability of the affected application.
- Confidentiality: Sensitive data could be exposed or stolen.
- Integrity: Data or configurations could be altered maliciously.
- Availability: The application or server could be disrupted or taken down.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated users to perform malicious configuration uploads and code injection, resulting in arbitrary server-side code execution. Such a compromise can lead to a high impact on the confidentiality, integrity, and availability of the application.
Given the high impact on confidentiality and integrity, this vulnerability could potentially lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require strict protection of sensitive data and system integrity.