Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-44761

SAP Commerce Cloud ships sample OAuth2 client with publicly documented credentials

SAP Commerce Cloud retained a sample OAuth2 client whose credentials were documented in SAP Help Portal. If left unchanged, an unauthenticated attacker can use those well-known values to obtain a valid access token and read or modify tenant data via certain APIs. NVD scored 9.1.

cat cve-2026-44761.json
Vendor
SAP
Product
Commerce Cloud (sample OAuth2 client shipped from documentation)
CVSS
9.1
EPSS (exploit probability)
N/A
Status
patched
Published

A default-credentials flaw in SAP Commerce Cloud. NVD assigns CVSS 3.1 = 9.1 — no authentication, no user interaction, network-reachable, high impact on confidentiality and integrity.

What the flaw is (per NVD): “SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data.”

There is a particular flavor of vulnerability that keeps returning across decades: the sample credential shipped in the documentation, left in place by a deploying team that either did not read the note about changing it or assumed the vendor’s sample would not be honored on a real production tenant. It is not the sort of bug that gets a fresh name; it is the same mistake, different decade. The 9.1 score is not on the attacker — the credentials were public — it is on the deployment.

Status: SAP fixed this on the July 2026 Security Patch Day (published 2026-07-14). No known exploitation in the wild at time of writing, per BleepingComputer’s summary of the patch day.

What to do: Apply the July 2026 SAP Security Note and, separately, audit whether the sample OAuth2 client is still enabled in your Commerce Cloud tenants — the patch removes the shipped default, but a tenant that provisioned around the sample rather than rotating it needs the credential rotated independently.