[Cloud] Customer suspects IDOR vulnerability
Description
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions up to 2.4.6, 2.4.5-p2, and 2.4.4-p3 have an Incorrect Authorization bug allowing low-privileged attacks to bypass security and modify another user's data.
Vulnerability
Details CVE-2023-29296 is an Incorrect Authorization vulnerability in Adobe Commerce, impacting versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier), and 2.4.4-p3 (and earlier) [1]. The root cause is improper authorization checks, allowing a security feature bypass.
Exploitation
A low-privileged attacker can exploit this vulnerability without any user interaction to modify a minor functionality of another user's data [1]. The attack surface is internal or remote depending on network access, but requires low privileges.
Impact
Successful exploitation results in a security feature bypass, enabling unauthorized modification of another user's data, albeit for minor functionality. The CVSS score is not yet provided by NVD, but the vulnerability is considered important.
Mitigation
Adobe has addressed this issue in later releases. Users should update to patched versions. The Magento Open Source repository [2] contains the source code where fixes are applied.
- NVD - CVE-2023-29296
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p3 | 2.4.5-p3 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p4 | 2.4.4-p4 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.6
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.