Adobe Commerce | Improper Access Control (CWE-284)

An Improper Access Control vulnerability exists in Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier [1]. The flaw stems from inadequate enforcement of access restrictions on certain backend operations, allowing authorized users with limited privileges to access resources or perform actions they should not be permitted to [1].

The vulnerability is exploitable by an authenticated user with low privileges, such as a store administrator with restricted roles. No user interaction is required beyond the attacker's own actions, meaning the attacker can trigger the bypass directly without tricking another user [1]. The attack surface is limited to authenticated sessions within the Adobe Commerce admin panel or API, requiring the attacker to already possess valid credentials [1].

Successful exploitation enables the attacker to bypass intended security controls, leading to a low impact on integrity. This could allow unauthorized modification of data, such as altering product details, prices, or other configuration settings that should be protected [1]. The confidentiality and availability of the system are not expected to be affected by this flaw [1].

Adobe has released security updates to address this vulnerability in the specified versions and later [1]. Users should apply the latest patches available from the official repository [2] or the Adobe Security Bulletin to mitigate the risk. No workarounds have been publicly documented, and the CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog.