Credential Harvesting Vulnerability in SAP Cloud Application Programming Model
CVE-2026-46421

9.3CRITICAL

Key Information:

Vendor

Cap-js

Vendor
CVE Published:
15 July 2026

What is CVE-2026-46421?

The SAP Cloud Application Programming Model is designed for building enterprise-grade cloud applications, leveraging various Node.js packages for SQL database services. Recently, several compromised versions of critical packages were published, enabling malicious actors to harvest sensitive credentials such as npm tokens, cloud provider credentials, SSH keys, and GitHub personal access tokens from affected systems. Users of versions @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1 must take immediate action to upgrade to secure releases and rotate any credentials that were accessible on machines running the compromised versions.

Affected Version(s)

@cap-js/db-service = 2.10.1

@cap-js/postgres = 2.2.2

@cap-js/sqlite = 2.2.2

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.