CVE-2026-21359

MEDIUM

Adobe Commerce <=2.4.9-alpha3 - Auth Bypass

Title source: llm

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

References (1)

Core 1

Core References

Various Sources vendor-advisory

https://helpx.adobe.com/security/products/magento/apsb26-05.html

Scores

CVSS v3 4.7

EPSS 0.0009

EPSS Percentile 24.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

adobe/commerce 2.4.4 (17 CPE variants)

adobe/commerce 2.4.5 (16 CPE variants)

adobe/commerce 2.4.6 (14 CPE variants)

adobe/commerce 2.4.7 (3 CPE variants)

Published Mar 11, 2026

Tracked Since Mar 11, 2026