RCE in Magento
Description
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-15244: An admin user in Magento (OpenMage) can generate SOAP credentials enabling RCE via PHP Object Injection through product attributes.
CVE-2020-15244 affects the Magento LTS package (OpenMage/magento-lts) before versions 19.4.8 and 20.0.4 [1]. The vulnerability resides in the product attribute handling, where an admin user can generate SOAP credentials that ultimately allow remote code execution (RCE) through PHP Object Injection [3]. The root cause involves unsafe deserialization of user-controlled data, specifically in the product's recurring profile handling, as shown in a commit that replaced unserialize with a safer alternative [4].
Exploitation
An attacker with administrative privileges on the Magento instance can create SOAP credentials and then craft a malicious serialized PHP object within product attributes [3]. Exploitation does not require complex network positioning, but it does demand prior authentication as an admin [2]. The attack surface includes the SOAP API used to manage products and attributes [4].
Impact
Successful exploitation yields arbitrary code execution on the server, potentially leading to full compromise of the Magento installation, data exfiltration, or further lateral movement within the infrastructure [1][3].
Mitigation
The vulnerability is patched in OpenMage versions 19.4.8 and 20.0.4 [1]. Users should upgrade immediately. The fix includes hardening deserialization routines for product attributes [4]. No workarounds have been publicly documented beyond applying the update.
- NVD - CVE-2020-15244
- GitHub - OpenMage/magento-lts: Official OpenMage LTS codebase | Migrate easily from Magento Community Edition in minutes! Download the source code for free or contribute to OpenMage LTS | Security vulnerability patches, bug fixes, performance improvements and more.
- RCE via PHP Object injection via SOAP Requests
- Merge pull request from GHSA-jrgf-vfw2-hj26 · OpenMage/magento-lts@26433d1
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.8 | 19.4.8 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.4 | 20.0.4 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.8
Patches
126433d15b579Merge pull request from GHSA-jrgf-vfw2-hj26
2 files changed · +5 −1
app/code/core/Mage/Catalog/Model/Product/Attribute/Api.php+4 −0 modified@@ -236,6 +236,10 @@ public function remove($attribute) $this->_fault('can_not_delete'); } + if (!$model->getIsUserDefined()) { + $this->_fault('can_not_delete'); + } + try { $model->delete(); return true;
app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php+1 −1 modified@@ -542,7 +542,7 @@ protected function _afterLoad() foreach ($this as $product) { if ($product->isRecurring() && $profile = $product->getRecurringProfile()) { - $product->setRecurringProfile(unserialize($profile)); + $product->setRecurringProfile(Mage::helper('core/unserializeArray')->unserialize($profile)); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-jrgf-vfw2-hj26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15244ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/26433d15b57978fcb7701b5f99efe8332ca8630bghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-jrgf-vfw2-hj26ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.