Adobe Commerce versions 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and earlier contain an Incorrect Authorization vulnerability (CWE‑863). An attacker with low privileges can bypass security checks and gain unauthorized access to restricted features. This flaw allows limited feature exploitation without any user interaction, potentially exposing sensitive data or enabling further privilege escalation.

Affecting Adobe:Adobe Commerce and related Magento open‑source CPEs for versions 2.4.4 through 2.4.9‑alpha3, including all patch releases (p1–p16) and earlier snapshots. The vulnerability applies to both Commerce and Commerce B2B product lines across the listed version ranges.

The CVSS score of 4.3 places the vulnerability in the low‐to‐moderate severity range. EPSS is below 1 %, indicating a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Attackers can exploit the problem remotely without user interaction once they have sufficient network access; the flaw does not require elevated privileges at the time of exploitation. While risk is not high, the impact of unauthorized feature access warrants prompt attention.