CVE-2026-34685 - Vulnerability Details

- Adobe Commerce | Improper Input Validation (CWE-20)

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing.] are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Published: 2026-05-12

Score: 3.4 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper input validation, identified as CWE‑20, allows a high‑privileged attacker to bypass security controls in Adobe Commerce. The vulnerability can be triggered by a maliciously crafted URL visited by a user, and it results in unauthorized write access to the file system. Scope is changed, indicating that an attacker could gain elevated privileges once the bypass succeeds. The CVSS score of 3.4 reflects a low overall severity but highlights the potential for significant impact if exploited.

Affected Systems

Adobe Commerce versions 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases are affected. The affected product is Adobe Commerce (formerly Magento) provided by Adobe.

Risk and Exploitability

The CVSS score indicates low exploitability overall, but the requirement for user interaction reduces the probability that an attacker can gain the necessary context. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting no known public exploits. However, the scope change to a high‑privileged state means that once an attacker achieves a written string through a web request, they can execute write operations that normally would have been restricted, exposing the system to potential data tampering or persistence mechanisms.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Adobe Commerce

affected

Version	Status	Constraints
`0`	affected	≤ 2.4.4-p17

No data.

Vendor Product Confidence Versions

Adobe

Adobe Commerce

100%

Version	Status	Scheme	Platform
`[0,2.4.4-p17]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Adobe Commerce patch or upgrade to a version that contains the fix (for example, 2.4.10 or later).
Restrict file system write permissions for the directories targeted by the vulnerability and remove any unnecessary write capabilities for application processes.
Deploy a web application firewall or input filtering mechanism to block malformed requests that exploit the input validation flaw.

Generated by OpenCVE AI on May 12, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://helpx.adobe.com/security/products/magento/apsb26-49.html

History

Wed, 13 May 2026 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe adobe Commerce
Vendors & Products		Adobe Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing.] are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Title		Adobe Commerce \| Improper Input Validation (CWE-20)
Weaknesses		CWE-20
References		https://helpx.adobe.com/security/products/magento/apsb26-49.html
Metrics		cvssV3_1 `{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N'}`

Subscriptions

Adobe Adobe Commerce

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-05-12T19:50:30.903Z

Updated: 2026-05-13T01:33:03.244Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34685

Vulnrichment

Updated: 2026-05-13T01:32:58.474Z

NVD

Status : Undergoing Analysis

Published: 2026-05-12T20:16:38.480

Modified: 2026-05-13T14:49:11.830

Link: CVE-2026-34685

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object