Adobe Commerce Improper Access Control Security feature bypass
Description
Adobe Commerce 2.4.4-p1 and earlier and 2.4.5 and earlier have an Improper Access Control flaw allowing a security feature bypass that can impact minor feature availability without user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce 2.4.4-p1 and earlier and 2.4.5 and earlier have an Improper Access Control flaw allowing a security feature bypass that can impact minor feature availability without user interaction.
Root
Cause CVE-2022-35689 is an Improper Access Control vulnerability in Adobe Commerce affecting versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier). The improper access controls allow a security feature bypass, meaning that the intended protections or restrictions on certain functionality are not correctly enforced [1].
Exploitation
Exploitation does not require user interaction, so an attacker can trigger the vulnerability remotely without any action from the victim. The exact attack vector is not detailed, but given the nature of the flaw, an attacker would likely be able to access or manipulate features that should have been restricted, by sending crafted requests to the application [1].
Impact
An attacker leveraging this vulnerability can impact the availability of a user's minor feature. While the impact is described as affecting a 'minor feature,' it still constitutes a security bypass in an e-commerce platform. No privilege escalation or data theft is described, but the denial of a feature could disrupt normal store operations or user experience [1].
Mitigation
Adobe has addressed this vulnerability in security releases. Users should update their Adobe Commerce or Magento Open Source installations to the latest patched versions as recommended in Adobe's security bulletin [2]. As of the publication date, no workarounds have been published, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.
- NVD - CVE-2022-35689
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p2 | 2.4.4-p2 |
magento/community-editionPackagist | >= 2.4.3-p1, <= 2.4.3-p3 | — |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
3- ghsa-coords2 versions
>= 2.4.4-p1, < 2.4.4-p2+ 1 more
- (no CPE)range: >= 2.4.4-p1, < 2.4.4-p2
- (no CPE)range: <= 2.0.2
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.