SAP Commerce Cloud - Spring Security Misconfig Allows Remote Code Execution
CVE-2026-34263 Published on May 12, 2026
Missing authentication check in SAP Commerce cloud configuration
Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Vulnerability Analysis
CVE-2026-34263 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an Insufficient Cleanup Vulnerability?
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
CVE-2026-34263 has been classified to as an Insufficient Cleanup vulnerability or weakness.
Products Associated with CVE-2026-34263
Want to know whenever a new CVE is published for SAP Commerce Cloud? stack.watch will email you.
Affected Versions
SAP_SE SAP Commerce cloud configuration:- Version HY_COM 2205 is affected.
- Version COM_CLOUD 2211 is affected.
- Version 2211-JDK21 is affected.