CVE-2025-26654 MEDIUM

CVE-2025-26654: Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)

Vendor Sap_Se
Product SAP Commerce Cloud (Public Cloud)
Weakness CWE-319 · Cleartext transmission
Published April 8, 2025
Last update February 26, 2026

CVSS base score

6.8/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.

Key dates

02Disclosure timeline

April 8, 2025 CVE published
February 26, 2026 Record updated