A critical (CVSS 9.1) flaw lets unauthenticated attackers use well-known sample OAuth2 credentials to obtain valid access tokens and read or modify data in affected SAP Commerce Cloud deployments.
What Is It
CVE-2026-44761 is a critical vulnerability in SAP Commerce Cloud caused by a sample OAuth2 client that ships with publicly documented sample credentials. Those credentials originate from sample configuration published in the SAP Help Portal documentation. If the sample client is left unchanged, an unauthenticated attacker can use the well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data.
The issue is classified as CWE-1392 (Use of Default Credentials). It carries a CVSS 3.1 base score of 9.1 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, network-exploitable, low complexity, and requiring no privileges or user interaction.
Why It Matters
Successful exploitation results in high impact on both confidentiality and integrity, with no impact on availability. Because the credentials are publicly documented and the attack requires no authentication or user interaction, an attacker who reaches an exposed instance can read and modify data through the affected APIs. No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation in the provided source material.
What's Vulnerable
SAP Commerce Cloud (vendor: SAP SE). The following versions are listed as affected:
- HY_COM 2205
- COM_CLOUD 2211
- 2211-JDK21
The default status for the product is "unaffected," with only the versions above flagged as affected.
Patch Status
SAP published guidance through SAP Security Note 3753495 and its Security Patch Day process. Remediation centers on changing the sample OAuth2 client's default credentials rather than leaving the documented sample configuration in place. Administrators should review the referenced SAP note for authoritative fix and mitigation details.
Sources
- SAP Security Note 3753495; https://me.sap.com/notes/3753495
- SAP Security Patch Day; https://url.sap/sapsecuritypatchday
- NVD: CVE-2026-44761; https://nvd.nist.gov/vuln/detail/CVE-2026-44761