Magento Commerce Authenticated Blind SSRF Could Lead To Remote Code Execution
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A blind SSRF in Magento's dotmailer extension lets admin attackers achieve RCE when Redis is enabled.
Vulnerability
A blind server-side request forgery (SSRF) vulnerability exists in the bundled dotmailer extension of Magento Commerce (Adobe Commerce). Affected versions include 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The SSRF is triggered via the dotmailer extension when an administrator performs certain actions that cause the application to make arbitrary HTTP requests to internal or external resources [1].
Exploitation
An attacker must possess admin privileges on the Magento instance to reach the vulnerable code path. By crafting a request that causes the dotmailer extension to make a blind SSRF call, the attacker can probe internal services. The vulnerability can be escalated to remote code execution if the admin also has Redis enabled, as the SSRF can be used to inject malicious data into the Redis store, which is then deserialized or executed by the application [1].
Impact
Successful exploitation can lead to remote code execution in the context of the web server, potentially compromising the entire Magento application and the underlying infrastructure. The attacker gains full control over the affected system, with the ability to steal data, modify content, or pivot to other internal services [1].
Mitigation
Adobe released security patches for this vulnerability. The recommended fix is to upgrade to Magento Commerce 2.4.2-p2, 2.4.3, or 2.3.7-p1 (or later releases). No workaround is publicly documented; disabling Redis or the dotmailer extension may reduce risk but is not a complete mitigation [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-36xq-7w8w-xp68ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36043ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.