{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24321", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-01-21T22:15:36.672Z", "datePublished": "2026-02-10T03:03:52.708Z", "dateUpdated": "2026-02-10T17:01:39.830Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Commerce Cloud", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "HY_COM 2205"}, {"status": "affected", "version": "COM_CLOUD 2211"}, {"status": "affected", "version": "2211-JDK21"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.</p>"}], "value": "SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-359", "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:03:52.708Z"}, "references": [{"url": "https://me.sap.com/notes/3687771"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Information Disclosure vulnerability in SAP Commerce Cloud", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T17:01:23.441445Z", "id": "CVE-2026-24321", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T17:01:39.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24321", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T17:01:23.441445Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T17:01:27.475Z"}}], "cna": {"title": "Information Disclosure vulnerability in SAP Commerce Cloud", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Commerce Cloud", "versions": [{"status": "affected", "version": "HY_COM 2205"}, {"status": "affected", "version": "COM_CLOUD 2211"}, {"status": "affected", "version": "2211-JDK21"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3687771"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.", "supportingMedia": [{"type": "text/html", "value": "<p>SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-359", "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:03:52.708Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24321", "state": "PUBLISHED", "dateUpdated": "2026-02-10T17:01:39.830Z", "dateReserved": "2026-01-21T22:15:36.672Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-02-10T03:03:52.708Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:commerce_cloud:2205:*:*:*:*:*:*:*", "matchCriteriaId": "391FB1C6-1A52-4E53-B042-44D592AEC7A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*", "matchCriteriaId": "4AC6D6B9-6A5A-4631-B10F-FB95150E1B68", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability."}, {"lang": "es", "value": "SAP Commerce Cloud expone m\u00faltiples puntos finales de API a usuarios no autenticados, permiti\u00e9ndoles enviar solicitudes a estos puntos finales abiertos para recuperar informaci\u00f3n sensible que no est\u00e1 destinada a ser accesible p\u00fablicamente a trav\u00e9s del front-end. Esta vulnerabilidad tiene un bajo impacto en la confidencialidad y no afecta la integridad y la disponibilidad."}], "id": "CVE-2026-24321", "lastModified": "2026-02-17T15:24:36.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-02-10T04:16:04.150", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3687771"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "cna@sap.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}