Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-05-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper limitation of a pathname to a restricted directory, allowing a path traversal attack. An authenticated attacker with administrative privileges can read or write arbitrary files outside the intended directory. The flaw is classified as CWE‑22 and requires no user interaction once the attacker has administrative access. Based on the description, an attacker could read or write files that include critical system or configuration data. The potential for further impact such as code execution is inferred but not explicitly documented in the description.

Affected Systems

Adobe Commerce versions 2.4.9-beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and any earlier releases are affected. The vulnerability applies to the Adobe:Adobe Commerce product line.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score is not available, but the flaw is not listed as a known exploited vulnerability in the KEV catalog. Attacks require authenticated administrative access, limiting the threat surface to privileged accounts. The vulnerability allows read or write of arbitrary files, which could compromise data confidentiality and integrity; further impact is not documented but is inferred.

Generated by OpenCVE AI on May 12, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Adobe Commerce release that contains the fix for this path traversal bug.
  • If the update cannot be applied immediately, restrict file system permissions on the directories involved to prevent write access from administrative accounts.
  • Implement continuous file integrity monitoring to detect unauthorized file changes or unexpected file creations by administrative users.

Generated by OpenCVE AI on May 12, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.
Title Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-12T19:50:29.984Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34653

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:36.387

Modified: 2026-05-12T20:16:36.387

Link: CVE-2026-34653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:00:12Z

Weaknesses