high2026-06-09SAP Commerce CloudCVE-2026-29145

Apache Tomcat Vulnerabilities in SAP Commerce Cloud

SAP Commerce Cloud (Apache Tomcat)

Our Take

SAP Commerce Cloud is having a rough patch cycle — this is the second note this month for the platform, plus the critical Spring Security note. Bundling 3747484 and 3748262 into one planned rebuild saves operational overhead. If you have a Commerce Cloud maintenance window already scheduled for the Spring Security fix, add this too.

Vulnerability Detail

Multiple Apache Tomcat vulnerabilities (CVE-2026-29145, CVE-2025-66614, CVE-2026-24734) bundled in the SAP Commerce Cloud embedded Tomcat server. The vulnerabilities allow unauthenticated attackers to exploit weaknesses in the Tomcat server including certificate validation bypass and other server-side flaws. High impact on confidentiality and integrity.

Patch Action

Apply SAP Note 3747484. Bundle with other open Commerce Cloud notes (3748262) into a single rebuild and redeployment window.

Affected Versions

HY_COM 2205

COM_CLOUD 2211

COM_CLOUD 2211-JDK21

Patch Info

CVSS Score

7.4

SAP Note

3747484 ↗

CVE

CVE-2026-29145

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches