Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions 2.4.6 and earlier are vulnerable to an incorrect authorization flaw allowing privileged attackers to bypass security features and modify other users' data.
CVE-2023-29288 is an incorrect authorization vulnerability in Adobe Commerce (and Magento Open Source) affecting versions 2.4.6, 2.4.5-p2, 2.4.4-p3, and earlier [1]. The flaw allows a privileged attacker to bypass security features and modify a minor functionality of another user's data.
Exploitation requires a privileged account, meaning the attacker must already have some level of access to the system. However, no user interaction is needed, making it easier to exploit once the attacker has the necessary privileges [1]. The attack vector is likely through the admin panel or API endpoints that fail to properly enforce authorization checks.
Successful exploitation could lead to unauthorized modification of another user's data, potentially affecting data integrity and trust in the application. While described as 'minor functionality,' the exact scope may vary depending on the deployment [1].
Adobe has not released a specific security bulletin in the provided references, but the Magento Open Source repository [2] indicates ongoing development. Users should monitor Adobe's security advisories and upgrade to the latest patched versions when available. As a general precaution, restrict privileged access and review authorization configurations.
- NVD - CVE-2023-29288
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p3 | 2.4.5-p3 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p4 | 2.4.4-p4 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.6
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f989-3fp9-q3r2ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb23-35.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-29288ghsaADVISORY
News mentions
0No linked articles in our index yet.