CVE-2026-21359

MEDIUM

Adobe Commerce <=2.4.9-alpha3 - Auth Bypass

Title source: llm

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

References (1)

[Various Sources] https://helpx.adobe.com/security/products/magento/apsb26-05.html

Scores

CVSS v3 4.7

EPSS 0.0007

EPSS Percentile 21.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L

Details

CWE

CWE-863

Status published

Products (4)

adobe/commerce 2.4.4 (17 CPE variants)

adobe/commerce 2.4.5 (16 CPE variants)

adobe/commerce 2.4.6 (14 CPE variants)

adobe/commerce 2.4.7 (3 CPE variants)

Published Mar 11, 2026

Tracked Since Mar 11, 2026