CVE-2026-21296

MEDIUM

Adobe Commerce <=2.4.9-alpha3 - Auth Bypass

Title source: llm

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.

References (1)

[Various Sources] https://helpx.adobe.com/security/products/magento/apsb26-05.html

Scores

CVSS v3 4.3

EPSS 0.0005

EPSS Percentile 15.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-863

Status published

Products (4)

adobe/commerce 2.4.4 (17 CPE variants)

adobe/commerce 2.4.5 (16 CPE variants)

adobe/commerce 2.4.6 (14 CPE variants)

adobe/commerce 2.4.7 (3 CPE variants)

Published Mar 11, 2026

Tracked Since Mar 11, 2026