critical2026-07-14SAP Commerce CloudCVE-2026-44761

Hardcoded Sample OAuth2 Credentials in SAP Commerce Cloud OCC

SAP Commerce Cloud (OCC — Omnichannel Commerce API)

Our Take

Hardcoded credentials in a default configuration are, by definition, known to anyone who has read the SAP documentation. If you run Commerce Cloud and have not explicitly replaced the sample OAuth2 credentials, assume they are compromised. This is less a vulnerability and more an "everyone knows the combination" problem. Rotate credentials today, then patch.

Vulnerability Detail

SAP Commerce Cloud ships sample OAuth2 credentials in default configuration files for the OCC (Omnichannel Commerce) API layer. These sample credentials remain active in production environments where the default configuration has not been explicitly replaced. An attacker who discovers these credentials — which are publicly documented in SAP sample code — gains authenticated API access with the permissions of the sample client, potentially enabling unauthorised data access and modification across the commerce platform.

Workaround

Immediately rotate all OAuth2 client credentials in the Commerce Cloud OCC configuration. Remove or invalidate the sample client IDs shipped with the default installation. Audit OAuth2 clients for any unexpected access patterns.

Patch Action

Apply SAP Note 3753495. Review and replace all sample/default credentials in your Commerce Cloud configuration before or alongside the patch.

Affected Versions

HY_COM 2205
COM_CLOUD 2211
COM_CLOUD 2211-JDK21

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.1

SAP Note

3753495

CVE

CVE-2026-44761

Published

2026-07-14

← All patches