Adobe Commerce Guest Cart Shipping Address Overwrite IDOR
Description
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce 2.4.6 and earlier are vulnerable to an incorrect authorization bug that allows a security feature bypass without user interaction.
Vulnerability
Overview
CVE-2023-29290 is an Incorrect Authorization vulnerability affecting Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier), and 2.4.4-p3 (and earlier) [1]. The root cause lies in improper authorization checks, which can be exploited to bypass security controls. This flaw does not require user interaction, making it potentially easy for an attacker to exploit [1].
Exploitation and
Attack Surface
An attacker can leverage this vulnerability to bypass a minor functionality [1]. Exploitation does not require user interaction, meaning an attacker can trigger the flaw without any action from the victim. The attack surface is limited to bypassing a security feature, but the exact nature of the bypass and the attack vector (e.g., network, local) are not fully detailed in public sources [1]. The official advisory does not provide CVSS vector strings or exploitable conditions beyond the basic description [1].
Impact
Successful exploitation results in a security feature bypass, allowing the attacker to circumvent a minor functionality [1]. The impact is described as minor, suggesting a limited security control is affected rather than a critical data access or privilege escalation. No additional impact details, such as data confidentiality, integrity, or availability, are provided in the available references [1].
Mitigation
Status
Adobe has not released a specific security update for this CVE in the referenced advisory; however, it is addressed in the Adobe Commerce security bulletin for June 2023 (APSB23-35). Affected users should apply the latest security patches for their respective Adobe Commerce or Magento Open Source installations [2]. At the time of writing, this CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. The vendor's GitHub repository provides general instructions for reporting and addressing security issues [2].
- NVD - CVE-2023-29290
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p3 | 2.4.5-p3 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p4 | 2.4.4-p4 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.6, <=2.4.5-p2, <=2.4.4-p3
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.