Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 are vulnerable to an Incorrect Authorization flaw (CWE-863) that allows an attacker to bypass security mechanisms and obtain view-level access to protected data without any user interaction. The vulnerability can lead to unauthorized exposure of confidential information, violating data integrity and confidentiality. As the flaw bypasses built‑in security checks, it effectively removes the protective barrier that normally isolates non‑privileged users from sensitive content.

The affected products are Adobe Commerce (also known as Magento) across a range of versions: 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and any earlier releases. These versions are listed in the provided CPE data and are vulnerable to the described authorization bypass. All installations running these or earlier releases should be considered at risk.

The CVSS base score of 7.5 indicates high severity, and the associated EPSS score of less than 1% suggests a low current exploitation probability but does not diminish the potential impact. The vulnerability is exploitable remotely, requires no user interaction, and can be leveraged by an attacker with network reach to the Commerce instance. A successful exploit would grant unauthorized view-level access to restricted data, compromising confidentiality. The issue is not listed in the CISA KEV catalog, but the high severity and easy attack vector warrant immediate attention.