Adobe Commerce post-auth improper input validation leads to remote code execution
Description
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Adobe Commerce 2.4.3-p1 and earlier (and 2.3.7-p2 and earlier) allows authenticated remote code execution without user interaction.
Vulnerability
Description CVE-2022-24093 is an improper input validation vulnerability affecting Adobe Commerce versions 2.4.3-p1 and earlier, as well as 2.3.7-p2 and earlier. The root cause lies in insufficient sanitization of user-supplied input, which can lead to arbitrary code execution by an authenticated attacker [1].
Exploitation
Exploitation requires authentication to the Adobe Commerce backend but does not require any user interaction. An attacker with admin-level or other privileged access could craft specially malformed input that bypasses validation, triggering code execution on the server [1]. The attack surface is limited to authenticated users, reducing the pool of potential attackers to those with valid credentials.
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary code on the underlying server. This could lead to full compromise of the Adobe Commerce instance, including data theft, modification, or denial of service. The CVSS v3.1 base score is 9.9 (Critical) due to the high impact on confidentiality, integrity, and availability combined with the low attack complexity and no user interaction requirement [1].
Mitigation
Adobe has released security patches to fix this vulnerability in later versions of Adobe Commerce and Magento Open Source. Users are strongly advised to upgrade to a patched version. No workarounds have been publicly documented; applying the vendor-supplied patch is the recommended course of action [2].
- NVD - CVE-2022-24093
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.3-p1, < 2.4.3-p2 | 2.4.3-p2 |
magento/community-editionPackagist | >= 2.3.7-p1, < 2.3.7-p3 | 2.3.7-p3 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.3-p1, <=2.3.7-p2
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5xmp-7wg5-x68qghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb22-13.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-24093ghsaADVISORY
News mentions
0No linked articles in our index yet.