The CVE-2026-21289 vulnerability is an Incorrect Authorization flaw (CWE-863) in Adobe Commerce that allows a remote actor to bypass security checks and view protected data without user interaction. An attacker can exploit the flaw by sending requests to the vulnerable APIs, resulting in a security feature bypass and unauthorized view access of sensitive information.

Affected products are Adobe Commerce (Magento) versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and all earlier 2.4.x releases. The vulnerability is present in the core framework and is reflected in the associated CPE strings for these releases.

The CVSS score is 7.5, indicating high severity, while the EPSS score is <1%, showing a low probability of current exploitation. The CVE is not listed in KEV. Exploitation does not require user interaction, meaning it can be triggered remotely through HTTP requests to the affected endpoints, potentially allowing an attacker to gain unauthorized access to data. Administrators should treat the vulnerability as a present risk until a vendor patch is released.