Adobe Commerce Incorrect Authorization Security feature bypass
Description
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce contains an incorrect authorization vulnerability allowing low-privileged attackers to bypass security features and access other users' data without user interaction.
Description
CVE-2023-38209 is an Incorrect Authorization vulnerability in Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier), and 2.4.4-p4 (and earlier). The root cause lies in flawed authorization checks that fail to properly validate a user's permissions before granting access to resources. This flaw results in a security feature bypass, enabling unauthorized data access [1].
Exploitation
An attacker with low privileges on an affected Adobe Commerce instance can exploit this vulnerability remotely without any user interaction. The attack surface is accessible via network requests, requiring no prior authentication beyond the attacker's existing low-privileged account. The lack of user interaction simplifies exploitation, as the attacker does not need to trick an administrator or other user into performing actions [1].
Impact
Successful exploitation allows the low-privileged attacker to access sensitive data belonging to other users. This could include personal information, order details, and other confidential data stored within the Adobe Commerce platform. The security feature bypass effectively undermines the intended access controls, leading to a breach of confidentiality [1].
Mitigation
Adobe has addressed this vulnerability in security updates for Adobe Commerce. Users are strongly advised to upgrade to the latest patched versions (2.4.6-p2, 2.4.5-p4, 2.4.4-p5, or later) to remediate the issue. No workarounds are available, and applying the official patches is the recommended course of action [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p2 | 2.4.6-p2 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p4 | 2.4.5-p4 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p5 | 2.4.4-p5 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.6-p1
- ghsa-coords2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3vg2-v639-6ch9ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb23-42.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-38209ghsaADVISORY
News mentions
0No linked articles in our index yet.