Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to have a low impact on integrity. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions 2.4.7-p2 and earlier contain an Incorrect Authorization vulnerability allowing low-privileged attackers to bypass security features with low integrity impact.
Vulnerability
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Incorrect Authorization vulnerability. This flaw arises from improper authorization checks within the application, enabling a security feature bypass [1].
Exploitation
An attacker with low privileges can exploit this vulnerability without requiring any user interaction. The attack does not need any special network access or complex prerequisites, making it relatively accessible for a malicious insider or a compromised low-tier account [1].
Impact
Successful exploitation results in a low impact on integrity. This means an attacker could potentially modify certain data or settings in a limited fashion, but not gain full administrative control or access sensitive information. The confidentiality and availability of the system are not directly affected [1].
Mitigation
Adobe has not yet released a patched version, but the vulnerability is acknowledged. Users should monitor Adobe's security advisories and apply updates as soon as they become available. The Magento Open Source project may receive a fix in a future release [2].
- NVD - CVE-2024-45125
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xg36-8c2v-jpxhghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45125ghsaADVISORY
News mentions
0No linked articles in our index yet.