CVE-2026-34263
Received
Received - Intake
Improper Spring Security Configuration Leads to Code Injection in SAP Commerce Cloud
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | commerce_cloud | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-459 | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can have a high impact on the Confidentiality, Integrity, and Availability of the affected application.
- Confidentiality: Sensitive data could be exposed or stolen.
- Integrity: Data or configurations could be altered maliciously.
- Availability: The application or server could be disrupted or taken down.
Can you explain this vulnerability to me?
This vulnerability arises from improper configuration of Spring Security in SAP Commerce cloud. It allows an unauthenticated user to upload malicious configurations and inject code into the system.
As a result, the attacker can execute arbitrary server-side code, which means they can run any commands or programs on the server without authorization.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70