Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch
AI Analysis

Impact

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier contain an Incorrect Authorization flaw (CWE-863). The flaw allows an attacker to bypass security controls and gain limited unauthorized view access to data. The vulnerability can be exploited without user interaction, which means that a remote attacker could trigger the bypass by sending specially crafted requests to the vulnerable system.

Affected Systems

Affected products: Adobe Commerce (Magento). Specific vulnerable versions include 2.4.4-p16 and all earlier releases, 2.4.5-p15, 2.4.6-p13, 2.4.7-p8, 2.4.8-p3, and 2.4.9-alpha3. All other Adobe Commerce releases not listed are considered not vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. EPSS shows exploitation probability is less than 1%, and the vulnerability is not listed in KEV. Because exploitation does not require user interaction, the attack vector can be remote, potentially allowing an attacker to trigger the bypass by sending crafted requests to exposed endpoints. The risk is moderate but requires timely remediation to protect sensitive data.

Generated by OpenCVE AI on March 17, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Adobe for available patches or upgrade to a non-affected version of Adobe Commerce
  • If no patch is available, enforce stricter role‑based access controls for sensitive data to limit potential damage
  • Monitor access logs for signs of unauthorized view attempts and review configuration regularly

Generated by OpenCVE AI on March 17, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:magento:*:*:*:*:open_source:*:*:*

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe commerce
Adobe commerce B2b
Adobe magento
CPEs cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p16:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:b1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:b2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:beta3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:beta1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:beta2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p16:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha3:*:*:*:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p10:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p11:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p12:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p13:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p14:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p15:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p9:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p10:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p11:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p12:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p13:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p9:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:b1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:b2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:beta3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:beta1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:beta2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.9:alpha3:*:*:open_source:*:*:*
Vendors & Products Adobe commerce
Adobe commerce B2b
Adobe magento

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Wed, 11 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.
Title Adobe Commerce | Incorrect Authorization (CWE-863)
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Adobe Adobe Commerce Commerce Commerce B2b Magento
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:34:41.685Z

Reserved: 2025-12-12T22:01:18.189Z

Link: CVE-2026-21286

cve-icon Vulnrichment

Updated: 2026-03-11T13:34:37.342Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T03:15:53.417

Modified: 2026-03-11T18:21:53.933

Link: CVE-2026-21286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:07Z

Weaknesses