Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). All inputs to the MD5 hash are time-derived and non-secure. Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions. This vulnerability is fixed in 20.18.0.
Published: 2026-05-15
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Magento LTS XML‑RPC / SOAP API session ID generation. Session identifiers were produced by hashing only timestamp‑derived data with MD5, without any cryptographic salt or secure source of randomness. Consequently the resulting digests have far less than the required 64 bits of entropy and can be predicted and brute‑forced by an attacker. An attacker who learns the time or can observe server state can generate a small set of candidate hashes, perform high‑speed online brute‑force, and hijack active API sessions. The flaw violates OWASP ASVS and NIST SP 800‑63B session‑id entropy requirements.

Affected Systems

The affected product is OpenMage Magento LTS. All versions older than 20.18.0 are vulnerable. The vulnerability was fixed in release 20.18.0.

Risk and Exploitability

The CVSS score is 9.3, reflecting a high‑severity exploit that can be carried out remotely against any internet‑exposed instance that uses the XML‑RPC/SOAP API. EPSS data is unavailable, and the vulnerability is not listed in CISA KEV; however, the lack of rate limiting combined with the low‑entropy session IDs makes a brute‑force attack highly feasible. An attacker can enumerate session identifiers in real time, hijack sessions, and gain unauthorized access to the API. The vulnerability does not require authentication to the API itself, only the ability to send requests to the exposed endpoints. The vulnerability can be exploited from outside the organisation with knowledge of the target server’s clock or by leveraging predictable LCG state leakage.

Generated by OpenCVE AI on May 15, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magento LTS installation to version 20.18.0 or later to replace the insecure session‑ID generation with a cryptographically secure randomness source.
  • If an upgrade cannot be performed immediately, disable or restrict external access to the XML‑RPC and SOAP API endpoints so that only trusted internal systems can reach them.
  • Apply strict rate limiting or throttling to the API endpoints to mitigate high‑speed brute‑force attempts against session identifiers.
  • Monitor API logs for repeated attempts to use the same or sequential session IDs and investigate any suspicious activity.

Generated by OpenCVE AI on May 15, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2cwr-gcf9-pvxr Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). All inputs to the MD5 hash are time-derived and non-secure. Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions. This vulnerability is fixed in 20.18.0.
Title Magento LTS: Weak API Session ID — Predictable MD5 of Time-Derived Inputs
Weaknesses CWE-330
CWE-331
CWE-338
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T17:36:27.793Z

Reserved: 2026-04-24T17:15:21.835Z

Link: CVE-2026-42155

cve-icon Vulnrichment

Updated: 2026-05-15T17:36:10.470Z

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:46.613

Modified: 2026-05-15T18:16:24.663

Link: CVE-2026-42155

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:30:05Z

Weaknesses