SAP Commerce Cloud ships sample OAuth2 client with publicly documented credentials
SAP Commerce Cloud retained a sample OAuth2 client whose credentials were documented in SAP Help Portal. If left unchanged, an unauthenticated attacker can use those well-known values to obtain a valid access token and read or modify tenant data via certain APIs. NVD scored 9.1.
- Vendor
- SAP
- Product
- Commerce Cloud (sample OAuth2 client shipped from documentation)
- CVSS
- 9.1
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
A default-credentials flaw in SAP Commerce Cloud. NVD assigns CVSS 3.1 = 9.1 — no authentication, no user interaction, network-reachable, high impact on confidentiality and integrity.
What the flaw is (per NVD): “SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data.”
There is a particular flavor of vulnerability that keeps returning across decades: the sample credential shipped in the documentation, left in place by a deploying team that either did not read the note about changing it or assumed the vendor’s sample would not be honored on a real production tenant. It is not the sort of bug that gets a fresh name; it is the same mistake, different decade. The 9.1 score is not on the attacker — the credentials were public — it is on the deployment.
Status: SAP fixed this on the July 2026 Security Patch Day (published 2026-07-14). No known exploitation in the wild at time of writing, per BleepingComputer’s summary of the patch day.
What to do: Apply the July 2026 SAP Security Note and, separately, audit whether the sample OAuth2 client is still enabled in your Commerce Cloud tenants — the patch removes the shipped default, but a tenant that provisioned around the sample rather than rotating it needs the credential rotated independently.
- SAP July 2026 Security Patch Day — SAP Support Portal (authenticated).
- BleepingComputer coverage, 2026-07-14.
- NVD entry.
