Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Commerce versions before 2.4.9-beta1 contain an Incorrect Authorization flaw that allows an attacker to bypass security controls and obtain write permissions that should be restricted. This weakness can lead to unauthorized code deployment, data modification, or other malicious actions. Because the vulnerability does not require user interaction, an adversary can exploit it remotely by sending specially crafted requests to the application.

Affected Systems

The flaw affects Adobe Commerce products, specifically the builds 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and all earlier releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. With no required user interaction, the attack vector is likely remote via web requests. The EPSS score is not available, but near-zero probability is not ruled out. The vulnerability is not listed in CISA KEV, so no publicly confirmed exploit commands exist yet. Nevertheless, the combination of a high CVSS score and a remote exploitation path makes the risk significant for unpatched installations.

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Commerce to the latest patched version that resolves the incorrect authorization issue.
  • If upgrading immediately is not possible, review and tighten role‑based permissions so that write access is granted only to trusted administrative roles and remove any unintended permissions that may be exploited.
  • After applying the patch or restructuring permissions, monitor web logs for anomalous write operations and confirm that unauthorized access attempts are being blocked.

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Title Adobe Commerce | Incorrect Authorization (CWE-863)
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-12T19:50:22.619Z

Reserved: 2026-03-30T17:30:36.492Z

Link: CVE-2026-34646

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:35.560

Modified: 2026-05-12T20:16:35.560

Link: CVE-2026-34646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:00:16Z

Weaknesses