CVE-2026-44747

SAP · Commerce Cloud

SAP Commerce Cloud retains default, publicly documented OAuth2 client credentials, allowing unauthenticated attackers to gain unauthorized API access and modify data.

Executive summary

The retention of default OAuth2 credentials in SAP Commerce Cloud enables unauthenticated attackers to gain unauthorized access to sensitive APIs and data.

Vulnerability

This vulnerability (CWE-1392) involves the presence of publicly known, default OAuth2 credentials in sample configurations that, if not removed or rotated, allow an unauthenticated attacker to obtain valid access tokens.

Business impact

An attacker can leverage these credentials to impersonate legitimate clients, leading to unauthorized data access and modification. This compromise of confidentiality and integrity carries significant business risk, as reflected in the 9.1 CVSS severity rating.

Remediation

Immediate Action: Update SAP Commerce Cloud to the latest version and ensure all sample OAuth2 configurations are removed or credentials are regenerated with unique, non-default values.

Proactive Monitoring: Monitor API access logs for successful authentication attempts originating from known sample client IDs or unusual account activity.

Compensating Controls: Implement strict API gateway policies that deny traffic from unauthorized or default-configured OAuth clients.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability highlights the danger of leaving default configurations in production environments. Administrators must audit their SAP Commerce Cloud deployments immediately to rotate or remove these sample credentials, as this is a trivial entry point for attackers.