Adobe Commerce is vulnerable to a server‑side request forgery (SSRF) that allows an attacker who can entice a user to visit a malicious URL or interact with a compromised page to bypass security mechanisms and gain unauthorized read access to protected resources. The flaw arises from incorrect handling of remote requests, giving attackers the ability to trick the server into fetching data from internal or restricted addresses, thereby enabling a security feature bypass. This is a scope‑changing vulnerability that can lead to information disclosure and further exploitation once the attacker gains read access.

Affected are Adobe Commerce 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and all earlier releases. The severity applies to any server running those versions of Adobe Commerce.

The vulnerability carries a CVSS score of 7.4, indicating moderate‑to‑high severity. Exploitation requires user interaction, meaning an attacker must entice the victim into clicking a malicious link or loading a compromised page. Because the attack hinges on user action, the practical likelihood of exploitation is lower than for purely automated attacks, but the impact once achieved is significant. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so there is no evidence of widespread exploitation yet. Nevertheless, because it allows bypass of security features and unauthorized read access, it warrants prompt remediation.