CVE-2026-24321

Summary

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Commerce CloudHY_COM 2205affected
SAP_SESAP Commerce CloudCOM_CLOUD 2211affected
SAP_SESAP Commerce Cloud2211-JDK21affected

Weaknesses

  • CWE-359: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References