Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Commerce is vulnerable to uncontrolled resource consumption, which can allow an attacker to exhaust system resources and cause an application denial‑of‑service. The weakness is identified as CWE‑400. Exploitation does not require user interaction, potentially allowing remote attackers to trigger the issue.

Affected Systems

Adobe Commerce versions 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases are affected. Only those deployments running these versions are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high potential for significant impact. EPSS is not available, and the vulnerability is not listed in CISA KEV. Based on the description, the attack vector is inferred to be remote or via an exposed API, as an attacker can trigger the resource exhaustion without user interaction.

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched Adobe Commerce release that removes the resource exhaustion flaw.
  • Restrict or rate‑limit the vulnerable endpoint to reduce the impact of high‑volume requests.
  • Enable monitoring of CPU and memory usage to detect abnormal spikes early.

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Title Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T00:24:20.745Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34651

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:36.150

Modified: 2026-05-12T20:16:36.150

Link: CVE-2026-34651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses