This vulnerability is a Server‑Side Request Forgery (SSRF) in Adobe Commerce that allows an attacker with high privileges to craft HTTP requests from the server to arbitrary internal or external resources. The flaw could enable bypassing of security features, permitting the attacker to read sensitive configuration data, probe internal ports, or access protected APIs. No user interaction is required, and any host that can reach the vulnerable endpoint is potentially in scope.

Affected are Adobe Commerce versions 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and lower, as well as the Magento open‑source releases up to 2.4.9‑alpha3. All deployment modes—including community and enterprise editions—are vulnerable when they include these code versions.

The CVSS score is 5.5, indicating moderate impact. EPSS is below 1%, suggesting a low probability of exploitation in the near term, and the vulnerability is not yet listed in the CISA KEV catalog, implying no known widespread attacks. Nevertheless, a high‑privileged attacker or one who can reach a vulnerable endpoint can exploit the SSRF without user interaction, potentially gaining unauthorized access to internal resources.