Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled resource consumption flaw that allows attackers to exhaust system resources and trigger a denial‑of‑service condition on Adobe Commerce applications. This weakness, classified as CWE‑400, can cause the affected application to become unresponsive or crash without requiring any user interaction. The impact is limited to application availability but can indirectly affect end‑users through service disruption.

Affected Systems

Adobe Commerce version 2.4.9-beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases are susceptible. Any deployment of these versions is at risk until updated.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity of the problem, while the lack of an EPSS score and absence from the KEV list suggest that there is no current evidence of widespread exploitation. Nonetheless, the flaw can be triggered remotely without authentication or user interaction, making it a low‑barrier attack. Adversaries could target the resource‑intensive features of the CMS or employ automated requests to exhaust memory or CPU, leading to a denial‑of‑service.

Generated by OpenCVE AI on May 12, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade Adobe Commerce to a version released after 2.4.9-beta1 as described in the Adobe security advisory.
  • Implement application‑level rate limiting or resource quotas to constrain the amount of CPU and memory that a single user or request can consume.
  • Configure the web server or load balancer to throttle or block excessive requests that could exhaust system resources, thereby reducing the likelihood of a denial‑of‑service attack.

Generated by OpenCVE AI on May 12, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Title Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T00:21:43.200Z

Reserved: 2026-03-30T17:30:36.492Z

Link: CVE-2026-34649

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:35.917

Modified: 2026-05-12T20:16:35.917

Link: CVE-2026-34649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses