Error based file extraction via PHP filter chains during product bulk import logic
Description
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce vulnerability allows authenticated admin attacker to read arbitrary files via improper input validation.
Adobe Commerce versions 2.4.7-beta1, 2.4.6-p2, 2.4.5-p4, 2.4.4-p5, and earlier are affected by an Improper Input Validation vulnerability [1]. This flaw allows an attacker with admin privileges to read arbitrary files from the file system, potentially exposing sensitive information such as configuration files, database credentials, or other critical data. The vulnerability does not require any user interaction, making it easier to exploit once admin access is obtained.
The attack can be carried out by an authenticated admin user, who can send specially crafted requests that bypass validation checks, leading to unintended file reads. The attacker must already have administrative access, which limits the attack surface but significantly increases the impact if such access is compromised.
Successful exploitation could allow an attacker to read arbitrary files, potentially leading to further compromise of the system, such as extraction of secrets, source code, or other sensitive data. Adobe has released security updates to address this issue; users are advised to upgrade to the latest versions or apply patches provided by Adobe [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-beta2 | 2.4.7-beta2 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p3 | 2.4.6-p3 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p5 | 2.4.5-p5 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p6 | 2.4.4-p6 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.7-beta1, <=2.4.6-p2, <=2.4.5-p4, <=2.4.4-p5
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-beta2+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-beta2
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9mx6-4gg4-85xjghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb23-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-26367ghsaADVISORY
News mentions
0No linked articles in our index yet.