Adobe Commerce Incorrect Authorization Security feature bypass
Description
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions 2.4.6 and earlier have an incorrect authorization vulnerability allowing attackers to leak other users' data without user interaction.
CVE-2023-22248 is an Incorrect Authorization vulnerability in Adobe Commerce affecting versions 2.4.6, 2.4.5-p2, 2.4.4-p3, and earlier. The root cause lies in improper enforcement of access controls, which allows a security feature bypass [1].
Exploitation does not require user interaction, meaning an attacker can trigger the vulnerability remotely without any user action. The attack surface is likely network-based, although the specific vector is not detailed beyond authorization flaws [1]. No authentication is needed for exploitation.
The impact is information disclosure: an attacker can leak another user's data by exploiting the incorrect authorization. This could expose sensitive customer or order information stored in the Commerce platform [1].
Adobe has not released a patch at the time of writing, but users are advised to monitor security updates and apply patches when available. The vulnerabilities affect both Adobe Commerce and Magento Open Source, as the latter shares codebase [2].
- NVD - CVE-2023-22248
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p3 | 2.4.5-p3 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.5-p4 | 2.4.5-p4 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.6, <=2.4.5-p2, <=2.4.4-p3
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.