ThreatLevelBeta
Planned Fix

CVE-2026-34263

Authentication Bypass → Remote Code Execution in SAP Commerce Cloud
Loading...

Summary

SAP Commerce Cloud's configuration handling is misconfigured with Spring Security, allowing an unauthenticated attacker to upload malicious configuration and inject code. The vulnerable flow sits in the Commerce Cloud configuration path and does not require valid credentials. Successful exploitation leads to arbitrary server-side code execution in the application context, with high impact to confidentiality, integrity, and availability.

Why Planned Fix?

4/6
No authentication required
Commonly internet-facing deployment
User interaction needed
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
Authentication Bypass
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary server-side code in the SAP Commerce Cloud application context

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker sends crafted requests to the Commerce Cloud configuration upload flow and abuses the missing Spring Security authentication check to submit attacker-controlled configuration. When the application accepts and processes that configuration, the injected payload executes on the server. Successful exploitation is confirmed by code execution in the SAP Commerce Cloud application context.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:SAP
ProductAffected Versions
SAP Commerce CloudHY_COM 2205, COM_CLOUD 2211, 2211-JDK21
Description

SAP Commerce Cloud is SAP's cloud e-commerce platform for storefronts, product catalogs, pricing, checkout, and order management.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:443
Affected ComponentCommerce Cloud configuration upload flow and the Spring Security authentication check protecting that flow.

Commerce Cloud configuration upload flow and the Spring Security authentication check protecting that flow.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch
Apply SAP Note 3733064 from the May 12, 2026 SAP Security Patch Day to the affected SAP Commerce Cloud builds (HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21).

Apply SAP Note 3733064 from the May 12, 2026 SAP Security Patch Day to the affected SAP Commerce Cloud builds (HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21).

support.sap.com
Update

Not available

Threat Intelligence
EPSS Score0.0%

Probability of exploitation in the next 30 days

EPSS Percentile7%

Worse than 7% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

CVSS Base Score

9.6
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-459 Incomplete Cleanup
|
NVD:CVE-2026-34263
|
Version From:
|
Version Upto:

Sources

7
SourceArticle
support.sap.comSAP Security Patch Day - May 2026
nvd.nist.govCVE-2026-34263 Detail
me.sap.comSAP Note 3733064
help.sap.comSAP Commerce Cloud in the Public Cloud
tenable.comCVE-2026-34263
bleepingcomputer.comSAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA
csa.gov.sgCritical Vulnerabilities in SAP Commerce Cloud and SAP S/4HANA

Priority History

Planned FixLoading...

Initial analysis