CVE-2026-24321 MEDIUM

CVE-2026-24321: Information Disclosure vulnerability in SAP Commerce Cloud

Vendor Sap_Se
Product SAP Commerce Cloud
Weakness CWE-359
Published February 10, 2026
Last update February 10, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.

Key dates

02Disclosure timeline

February 10, 2026 CVE published
February 10, 2026 Record updated