ctipilot.ch

SAP Commerce Cloud hardcoded sample OAuth2 credential (CVSS 9.1)

cve · CVE-2026-44761

Coverage timeline
1
first 2026-07-14 → last 2026-07-14
Peak priority
notable
1 notable
Sources cited
4
4 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
2
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
SAP ApprouterSAP Commerce CloudSAP NetWeaver Application Server ABAP

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-14/sap-july-2026-patch-day-netweaver-approuter-commerce-cloud · ATT&CK page ↗

Credential Access TA0006

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-07-14/sap-july-2026-patch-day-netweaver-approuter-commerce-cloud · ATT&CK page ↗

Story timeline

  1. 2026-07-14SAP July 2026 Security Patch Day: three CVSS ≥9.1 flaws in NetWeaver AS ABAP, Approuter and Commerce Cloud — two reachable without authentication
    trending-vulnerabilitiesSAP patches an unauthenticated Approuter request-smuggling flaw and a Commerce Cloud public-default-credential exposure; NCSC-CH flags all three

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • onapsis.com1 (25%)
  • security-hub.ncsc.admin.ch1 (25%)
  • securityweek.com1 (25%)
  • support.sap.com1 (25%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about SAP Commerce Cloud hardcoded sample OAuth2 credential (CVSS 9.1) (1)

2026-07-14 · view entry permalink →

NOTABLECVE-2026-44747 +2NATOB1

SAP July 2026 Security Patch Day: three CVSS ≥9.1 flaws in NetWeaver AS ABAP, Approuter and Commerce Cloud — two reachable without authentication

SAP's July 2026 Security Patch Day (14 July) carries three critical flaws NCSC Switzerland's Cyber Security Hub relayed directly to Swiss constituents, none with reported exploitation at publication (NCSC-CH, 2026-07-14; Onapsis Research Labs, 2026-07-14). CVE-2026-44747 (CVSS 9.9) is a memory-corruption flaw in the SAP NetWeaver Application Server ABAP kernel; SecurityWeek characterises successful exploitation as allowing an attacker to access and modify data and cause system unavailability, and SAP's only interim workaround (disabling the affected ICF nodes) is impractical because it breaks SAP GUI for HTML, so patching the kernel is the real mitigation (SecurityWeek, 2026-07-14). CVE-2026-27690 (CVSS 9.1) is an HTTP request-smuggling flaw in SAP Approuter's non-Cloud-Foundry deployments: an unauthenticated request desynchronises the request/response stream on a shared front-end, a primitive usable to poison or hijack another user's request. CVE-2026-44761 (CVSS 9.1) is a hardcoded sample OAuth2 credential in SAP Commerce Cloud — any customer that ran SAP's own documented sample configuration and never rotated the shipped secret exposes a publicly-known credential an unauthenticated attacker can use to obtain a valid OCC-API access token (Onapsis Research Labs, 2026-07-14).

The vulnerability affects SAP Approuter deployments in non-Cloud Foundry environments and allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization.

Exploitation requires that the customer execute the sample script and retain the resulting OAuth2 client in production without replacing the hardcoded secret.

Successful exploitation of the security defect could allow an attacker to access and modify data, and cause system unavailability, SAP security firm Onapsis explains.

SecurityWeek 2026-07-14
vulnerability14 Jul 20:19Zmulti-sourceOpen finding ↗