critical2026-06-09SAP Commerce CloudCVE-2026-22732

Spring Security HTTP Header Vulnerability in SAP Commerce Cloud and Data Hub

SAP Commerce Cloud and SAP Data Hub

Our Take

Third critical Commerce Cloud note in as many months — this platform is drawing sustained researcher attention. If you run SAP Commerce Cloud or Data Hub, your patch cadence for this product needs to be on a shorter cycle. The Spring Security framework vulnerability is a well-documented external issue; SAP's exposure is in having shipped the affected version.

Vulnerability Detail

A vulnerability in the Spring Security framework — originally disclosed by VMware/Broadcom in early 2026 — affects SAP Commerce Cloud and SAP Data Hub. Incorrect HTTP security header handling in Spring Security allows an attacker to bypass security controls, with high impact on confidentiality and integrity. The underlying Spring Security flaw carries a CVSS of 9.1.

Workaround

Apply WAF rules to enforce correct HTTP security headers on Commerce Cloud and Data Hub endpoints as a temporary measure.

Patch Action

Apply SAP Note 3748262. As with prior Commerce Cloud critical patches, coordinate with your DevOps team — a rebuild and redeployment may be required.

Affected Versions

HY_COM 2205

HY_DHUB 2205

COM_CLOUD 2211

COM_CLOUD 2211-JDK21

DHUB_CLOUD 2211

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.1

SAP Note

3748262 ↗

CVE

CVE-2026-22732

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches