Adobe Commerce Incorrect Authorization Vulnerability

MEDIUM (5.9) No Patch (67 days)
cwe-863adobeauthorization-bypasscommercephpweb-server

Threat Intelligence

Medium Risk - Detectable
EPSS Score: 0.14% chance of exploitation (percentile: 35%)
🔍 Detection Tools: OSV.dev
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Adobe Commerce is an e-commerce platform used by businesses to manage their online stores. This vulnerability allows attackers to bypass security measures and gain unauthorized read access to sensitive data.

Am I affected?

You're affected if you use Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, and earlier. Check with: osv.dev or trivy package scanner.

Note: This is Adobe Commerce, not Magento (which is a similar e-commerce platform). If you don't recognize the name, you're probably not affected.

Affected Products

Adobe Inc. / Adobe Commerce

How to fix

Concrete steps:

  • Upgrade to Adobe Commerce version 2.5.0 or later.
  • Immediate mitigations:
    • Restrict network access to your Adobe Commerce instance (firewall it from the public internet).
    • Audit admin account activity for suspicious access patterns.
    • Monitor for unauthorized token creation.

References