Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page.
Published: 2026-05-12
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Commerce is vulnerable to an Improper Authorization flaw (CWE-285) that allows a user who visits a maliciously crafted URL or interacts with a compromised web page to bypass security controls and obtain unauthorized write privileges. The vulnerability permits the attacker to create or modify data that should be protected, effectively compromising data integrity and confidentiality.

Affected Systems

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and any earlier releases are affected. The affected vendor is Adobe.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Since the EPSS score is unavailable, the exact likelihood of exploitation is uncertain; however, the requirement for user interaction (clicking a malicious link or visiting a compromised page) limits the attack surface. The flaw is a classic improper authorization problem (CWE-285) that allows attackers to write data they should not be permitted to modify.

Generated by OpenCVE AI on May 12, 2026 at 22:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Commerce to the latest version that includes the security fix for this vulnerability
  • Apply any Adobe patch or update that addresses Improper Authorization as documented in Adobe's security advisory
  • Configure access control lists to restrict write operations to privileged users, limiting potential damage if an unauthorized user is authenticated

Generated by OpenCVE AI on May 12, 2026 at 22:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page.
Title Adobe Commerce | Improper Authorization (CWE-285)
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T01:31:16.951Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34656

cve-icon Vulnrichment

Updated: 2026-05-13T01:31:12.810Z

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:36.720

Modified: 2026-05-12T20:16:36.720

Link: CVE-2026-34656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses