Magento Commerce API File Option Upload Extension Improper Input Validation Vulnerability Could Lead To Remote Code Execution
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento Commerce 2.3.7, 2.4.2, and 2.4.2-p1 have an improper input validation in the API File Option Upload Extension that allows admin attackers to upload arbitrary files and achieve remote code execution.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension [1]. The extension fails to properly validate the type or content of uploaded files, allowing an authenticated attacker with Admin privileges to bypass restrictions and upload arbitrary files [1].
Exploitation
An attacker must first obtain administrative credentials for the Magento Commerce instance [1]. With Admin privileges, the attacker can craft a specially crafted HTTP request to the vulnerable API endpoint that handles file uploads for product options. By sending a malicious file (e.g., a PHP web shell) instead of the expected image or document type, the attacker can trigger the upload of this arbitrary file to the server [1]. No additional user interaction or race condition is required; the vulnerability is directly accessible via the administrative API.
Impact
Successful exploitation results in unrestricted file upload, which can lead to remote code execution (RCE) on the underlying server [1]. An attacker can then execute arbitrary commands, install backdoors, exfiltrate sensitive data, or further compromise the Magento installation and connected systems. The impact is high, as the attacker gains full control with the privileges of the web server user.
Mitigation
Adobe has released security patches for this vulnerability. Users should upgrade to Magento Commerce 2.4.3 or later, which contains the fix [1]. For users on affected versions (2.3.7, 2.4.2, 2.4.2-p1), upgrading to the latest available patched release is the only complete mitigation. No workaround has been provided by the vendor. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6cwv-wj7v-73xpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36042ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.