Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
Published: 2026-03-11
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Now
AI Analysis

Impact

Adobe Commerce versions 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and earlier are affected by an Incorrect Authorization vulnerability (CWE‑863). The flaw allows an attacker to bypass a software‑defined security feature without user interaction, potentially creating a privilege escalation path. The impact is limited to integrity and availability of data due to the security deception, but the ability to circumvent access controls poses a significant risk to business operations.

Affected Systems

Affected vendors include Adobe: Adobe Commerce, with affected release lines up through 2.4.9‑alpha3 and earlier. The vulnerability also applies to the Magento open source platform for the same version ranges referenced in the CPE data.

Risk and Exploitability

The CVSS v3 score of 4.7 denotes a medium severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting a lower priority for exploit discovery. Attackers would need to target the exposed web or API endpoints, but the exploit does not require user interaction and depends on environmental conditions that may be outside the attacker’s control.

Generated by OpenCVE AI on March 17, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current Adobe Commerce or Magento version you are running.
  • If you are on any of the vulnerable releases (2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 or earlier), obtain and apply the latest security patch or upgrade to a version where the issue is resolved.
  • Apply the patch in a testing environment first and then roll out to production once verified.
  • Restrict or monitor access to the affected API and administrative endpoints as a temporary protective measure.
  • Continuously check Adobe’s security advisories or your vendor’s update portal for any newly released mitigations or work‑arounds.

Generated by OpenCVE AI on March 17, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:magento:*:*:*:*:open_source:*:*:*

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe commerce
Adobe commerce B2b
Adobe magento
CPEs cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p16:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:b1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:b2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:beta3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:beta1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:beta2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p16:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha3:*:*:*:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p10:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p11:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p12:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p13:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p14:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p15:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p9:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p10:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p11:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p12:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p13:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p9:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:b1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:b2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:beta3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:beta1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:beta2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.9:alpha3:*:*:open_source:*:*:*
Vendors & Products Adobe commerce
Adobe commerce B2b
Adobe magento

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Wed, 11 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
Title Adobe Commerce | Incorrect Authorization (CWE-863)
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L'}

Subscriptions

Adobe Adobe Commerce Commerce Commerce B2b Magento
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:37:31.075Z

Reserved: 2025-12-12T22:01:18.206Z

Link: CVE-2026-21359

cve-icon Vulnrichment

Updated: 2026-03-11T13:37:27.160Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T03:15:55.693

Modified: 2026-03-11T18:08:47.597

Link: CVE-2026-21359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:10Z

Weaknesses