Moderate severityNVD Advisory· Published Mar 27, 2023· Updated Mar 5, 2025

Adobe Commerce Improper Access Control Security feature bypass

CVE-2023-22250

Description

Adobe Commerce 2.4.4-p2 and earlier, 2.4.5-p1 and earlier have an improper access control flaw allowing unauthenticated attackers to bypass security and degrade a minor feature's availability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Commerce 2.4.4-p2 and earlier, 2.4.5-p1 and earlier have an improper access control flaw allowing unauthenticated attackers to bypass security and degrade a minor feature's availability.

Vulnerability

Overview CVE-2023-22250 is an improper access control vulnerability in Adobe Commerce affecting versions 2.4.4-p2 and earlier, and 2.4.5-p1 and earlier. The flaw allows an attacker to bypass security features, leading to a denial-of-service condition on a minor user feature. No user interaction is required for exploitation [1].

Attack

Vector and Prerequisites The vulnerability stems from insufficient access controls, enabling an unauthenticated attacker to trigger the bypass remotely. Because no authentication or user interaction is needed, the attack can be automated and executed at scale. The exact mechanism is not detailed in public sources, but the impact is limited to the availability of a minor feature, not core functionality [1].

Impact

Successful exploitation results in a security feature bypass that degrades the availability of a non-critical user feature. This could disrupt specific operations but does not compromise sensitive data or allow full system compromise. The CVSS score has not been published by NVD at the time of this analysis [1].

Mitigation

Adobe has not released specific patch information in the available references. Users running affected versions should upgrade to the latest Adobe Commerce release to obtain the fix. As a general security practice, applying the most recent security updates is recommended.

References

NVD - CVE-2023-22250

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
magento/community-editionPackagist	>= 2.4.4-p1, < 2.4.4-p3	2.4.4-p3
magento/community-editionPackagist	>= 2.4.5-p1, < 2.4.5-p2	2.4.5-p2
magento/project-community-editionPackagist	<= 2.0.2	—

Affected products

ghsa-coords2 versions
pkg:composer/magento/community-edition pkg:composer/magento/project-community-edition
>= 2.4.4-p1, < 2.4.4-p3+ 1 more
- (no CPE)range: >= 2.4.4-p1, < 2.4.4-p3
- (no CPE)range: <= 2.0.2
Adobe Inc./Magento Commercecpe-rescue
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-4h7p-4vq8-g2ghghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-22250ghsaADVISORY
helpx.adobe.com/security/products/magento/apsb23-17.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000