The Magento‑lts application contains a flaw that allows an attacker to discover the location of the administration interface by sending requests that include a specific header, X‑Original‑Url. The vulnerability is classified as a confidentiality weakness (CWE‑200). When the header is present, the server can expose or infer the admin‑url path, allowing an unauthenticated user to identify the exact location of a privileged resource.

Products affected are the OpenMage Long‑Term‑Support edition of Magento. All instances running a version older than 20.16.1 are vulnerable; the patch was applied in 20.16.1 and later releases. The specific admin‑url path is not hard coded and depends on the deployment configuration, but the exposure occurs in all configurations that allow the header to pass through.

The vulnerability has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting a very low probability of active exploitation at this time. The ad‑hoc use of a request header does not require any additional privilege, meaning that anyone who can reach the web application can attempt to enumerate the admin path. Although the vulnerability is not currently listed in the CISA KEV catalog, it remains a risk for attackers who may use automated scans to locate the admin interface and then attempt other credential‑guessing or privilege‑bypass attacks.