Adobe Commerce | Improper Input Validation (CWE-20)
Description
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce 2.4.6 and earlier have an improper input validation bug allowing admin attackers to bypass security and affect a minor user feature's availability.
CVE-2023-29293 is an improper input validation vulnerability in Adobe Commerce (and Magento Open Source) that leads to a security feature bypass [1]. The flaw occurs when the software fails to properly validate input in certain administrative functions, enabling an authenticated admin to bypass intended restrictions.
Exploitation requires admin privileges but no user interaction, so an attacker who already has elevated access can trigger the vulnerability without any victim involvement [1]. The attack surface is limited to admin-level functions, meaning the attacker must first obtain high privileges.
The impact is limited to affecting the availability of a "user's minor feature," per the advisory [1]. This suggests the bypass can disrupt a non-critical feature for users but does not compromise sensitive data or lead to full system compromise.
As of the publication date, Adobe has not released additional technical details beyond the initial advisory, and affected versions include 2.4.6, 2.4.5-p2, and 2.4.4-p3 and earlier [1]. Users are advised to follow Adobe's security advisories for updates.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p3 | 2.4.5-p3 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p4 | 2.4.4-p4 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.6
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-66c9-xrwj-9xv6ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb23-35.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-29293ghsaADVISORY
News mentions
0No linked articles in our index yet.