CVE-2026-21286

MEDIUM

Adobe Commerce <=2.4.9-alpha3 - Auth Bypass

Title source: llm

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.

References (1)

[Various Sources] https://helpx.adobe.com/security/products/magento/apsb26-05.html

Scores

CVSS v3 5.3

EPSS 0.0008

EPSS Percentile 22.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-863

Status published

Products (4)

adobe/commerce 2.4.4 (17 CPE variants)

adobe/commerce 2.4.5 (16 CPE variants)

adobe/commerce 2.4.6 (14 CPE variants)

adobe/commerce 2.4.7 (3 CPE variants)

Published Mar 11, 2026

Tracked Since Mar 11, 2026