CVE-2026-21309

HIGH

Adobe Commerce <=2.4.9-alpha3 - Auth Bypass

Title source: llm

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.

References (1)

[Various Sources] https://helpx.adobe.com/security/products/magento/apsb26-05.html

Scores

CVSS v3 7.5

EPSS 0.0014

EPSS Percentile 34.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

adobe/commerce 2.4.4 (17 CPE variants)

adobe/commerce 2.4.5 (16 CPE variants)

adobe/commerce 2.4.6 (14 CPE variants)

adobe/commerce 2.4.7 (3 CPE variants)

Published Mar 11, 2026

Tracked Since Mar 11, 2026