Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions prior to 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10 have an Improper Access Control vulnerability allowing low-privileged attackers to bypass security measures with low confidentiality impact, without user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions prior to 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10 have an Improper Access Control vulnerability allowing low-privileged attackers to bypass security measures with low confidentiality impact, without user interaction.
Vulnerability
Overview CVE-2024-45122 is an Improper Access Control vulnerability in Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. The root cause is a flaw in the access control mechanism that fails to properly enforce restrictions for certain operations, allowing a low-privileged attacker to bypass intended security measures [1].
Exploitation
Prerequisites Exploitation requires a low-privileged account on the affected Adobe Commerce instance. The attacker does not need any user interaction, meaning the attack can be automated or triggered without tricking an administrator or other user [1]. The attack surface is accessible to authenticated users with minimal privileges, potentially through web requests or API calls that are not adequately validated.
Impact
Assessment Successful exploitation results in a bypass of security features, leading to a low impact on the confidentiality of the system [1]. This means the attacker could gain unauthorized access to limited sensitive information, but not full administrative control or critical data. The vulnerability does not affect integrity or availability according to the assessed CVSS vector.
Mitigation
Status Adobe has released security patches for the fixed versions: 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10. Merchants are advised to upgrade to these versions or later to remediate the vulnerability [1]. The Magento Open Source project (on which Adobe Commerce is based) provides a codebase for self-hosted users to apply fixes, though Adobe recommends using their fully supported Commerce solution [2].
- NVD - CVE-2024-45122
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-46fm-x82m-5f74ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45122ghsaADVISORY
News mentions
0No linked articles in our index yet.