cbcvebase.
CVE-2026-34263
published 2026-05-12

CVE-2026-34263: Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary…

PriorityP263critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.61%
44.7th percentile
Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

Affected

3 ranges
VendorProductVersion rangeFixed in
sap_sesap_commerce_cloud_configuration
sap_sesap_commerce_cloud_configuration
sap_sesap_commerce_cloud_configuration

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via malicious configuration upload and code injection through an unauthenticated endpoint — monitor SAP Commerce Cloud for unauthenticated POST requests to configuration upload endpoints, especially from unexpected source IPs.
  • Root cause is improper Spring Security configuration — audit Spring Security filter chain configurations in SAP Commerce Cloud deployments for missing or misconfigured authentication requirements on sensitive endpoints.
  • No authentication is required to exploit this flaw — alert on server-side code execution events or process spawning originating from the SAP Commerce Cloud application process without a corresponding authenticated session.
  • ·SAP has not reported evidence of in-the-wild exploitation as of the May 2026 patch release, but CISA has historically added SAP flaws to its KEV catalog — treat as high-priority patching.
  • ·The vulnerability is specific to SAP Commerce Cloud (enterprise e-commerce platform); on-premises or differently configured deployments may have different exposure depending on their Spring Security configuration.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.