Adobe Commerce contains an Incorrect Authorization flaw that lets an attacker bypass security checks to read protected data without needing user interaction. The vulnerability can expose customer information, order details, or other sensitive assets. The description states that the exploit depends on conditions beyond the attacker’s control, but once those conditions are met the attacker can retrieve read-only data that should be protected.

Affected versions include Adobe Commerce 2.4.4-p15 and earlier, 2.4.5-p14, 2.4.6-p12, 2.4.7-p7, 2.4.8-p2, and 2.4.9-alpha2, along with corresponding Adobe Magento open‑source releases 2.4.6 to 2.4.9 in various preview and patch configurations.

The CVSS score of 5.9 indicates moderate impact. The EPSS score of < 1% signifies a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA KEV. Attackers would need to meet undocumented conditions, potentially requiring elevated privileges or specific requests, to trigger the bypass. The flaw allows read‑only access, so it is a non‑destructive yet potentially data‑exposure risk.