CVE-2026-44747
SAP · Commerce Cloud
SAP Commerce Cloud retains default, publicly documented OAuth2 client credentials, allowing unauthenticated attackers to gain unauthorized API access and modify data.
Executive summary
The retention of default OAuth2 credentials in SAP Commerce Cloud enables unauthenticated attackers to gain unauthorized access to sensitive APIs and data.
Vulnerability
This vulnerability (CWE-1392) involves the presence of publicly known, default OAuth2 credentials in sample configurations that, if not removed or rotated, allow an unauthenticated attacker to obtain valid access tokens.
Business impact
An attacker can leverage these credentials to impersonate legitimate clients, leading to unauthorized data access and modification. This compromise of confidentiality and integrity carries significant business risk, as reflected in the 9.1 CVSS severity rating.
Remediation
Immediate Action: Update SAP Commerce Cloud to the latest version and ensure all sample OAuth2 configurations are removed or credentials are regenerated with unique, non-default values.
Proactive Monitoring: Monitor API access logs for successful authentication attempts originating from known sample client IDs or unusual account activity.
Compensating Controls: Implement strict API gateway policies that deny traffic from unauthorized or default-configured OAuth clients.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability highlights the danger of leaving default configurations in production environments. Administrators must audit their SAP Commerce Cloud deployments immediately to rotate or remove these sample credentials, as this is a trivial entry point for attackers.