Magento Commerce GraphQL Improper Input Validation Could Lead To Denial Of Service
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento Commerce 2.4.2 and earlier, 2.4.2-p1, and 2.3.7 are vulnerable to a server-side denial-of-service via improper input validation in a GraphQL field, exploitable by an unauthenticated attacker.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in a GraphQL field. The bug allows an unauthenticated attacker to supply specially crafted input that the server does not properly sanitize, leading to resource exhaustion or crash [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a malicious GraphQL query to a vulnerable Magento instance. No prior authentication or special network position beyond network access to the GraphQL endpoint is required. The attacker crafts a request that triggers the input validation flaw, causing the server to allocate excessive resources or enter an infinite processing loop [1].
Impact
Successful exploitation results in a server-side denial-of-service condition. The attacker can cause the Magento application to become unresponsive, effectively denying service to legitimate users. No data confidentiality or integrity is compromised directly, but availability is impacted [1].
Mitigation
Adobe released patches as part of Magento Commerce 2.4.3 and 2.3.7-p1 on July 29, 2021. Users should upgrade to these fixed versions immediately. There are no known workarounds for this vulnerability. Magento Commerce 2.4.2 and earlier are no longer supported and should be upgraded to a supported version [1][2].
- NVD - CVE-2021-36044
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wr57-3h2f-3q95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36044ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.