CVE-2025-26654 Information

Description

SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely but instead allows a redirect from port 80 to 443 (HTTPS). As a result Commerce normally communicates securely over HTTPS. However the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

https://me.sap.com/notes/3543274 https://url.sap/sapsecuritypatchday https://url.sap/sapsecuritypatchday

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.8