Magento Commerce Improper Input Validation Could Lead To Information Exposure and Privilege Escalation
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the V1/customers/me endpoint to achieve information exposure and privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento Commerce 2.4.2, 2.4.2-p1, and 2.3.7 have an IDOR vulnerability in `V1/customers/me` allowing authenticated attackers to access other customers' data and escalate privileges.
Vulnerability
An improper input validation vulnerability exists in Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The flaw is an insecure direct object reference (IDOR) in the V1/customers/me endpoint, which fails to properly validate that the authenticated user is authorized to access the requested customer resource [1].
Exploitation
An authenticated attacker can exploit this vulnerability by sending crafted requests to the V1/customers/me endpoint, manipulating parameters to reference other customer records. No special network position or write access is required; only valid authentication credentials are needed [1].
Impact
Successful exploitation leads to information exposure of other customers' data and potential privilege escalation. The attacker may view sensitive personal information and gain elevated access within the application [1].
Mitigation
As of the publication date, no official patch has been released. Adobe has not disclosed a fixed version in the available references. Users are advised to monitor security advisories and apply updates when they become available [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5vw8-r55w-f4q4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36032ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.