The approach to implementation of client authentication in Sitecore Experience Commerce differs from client authentication schemes of other Sitecore products.
So, to avoid potential vulnerabilities, make sure that all the recommended actions for secure client authentication are applied.
To secure a Commerce Engine installation against unauthorized use, consider the measures listed at the following link: Certificate authentication.
Sitecore would like to give credit to Ramon Brülisauer and Markus Koller of Namics AG team for the discovery of potential security issues with incorrect implementation of certificate authentication in specific Experience Commerce solutions.