Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity and availability. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is affected by an Improper Authorization vulnerability that allows a low-privileged attacker to bypass security measures, impacting integrity and availability.
Vulnerability
Overview CVE-2024-45128 is an Improper Authorization vulnerability in Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. The root cause is a failure to properly enforce authorization checks, which can lead to a security feature bypass [1].
Attack
Vector A low-privileged attacker can exploit this flaw by sending specially crafted requests to the affected Adobe Commerce instance. No user interaction is required, and the attack does not require any special network access beyond typical application access [1].
Impact
Successful exploitation results in a bypass of intended security controls. The impact is rated as low for integrity and availability, meaning an attacker could potentially manipulate certain data or cause limited service disruption [1].
Mitigation
Adobe has not released a patch at the time of publication. The vendor's advisory and the project's GitHub repository (for Magento Open Source, the upstream project) are referenced for future updates [2].
- NVD - CVE-2024-45128
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qpp7-742q-58j3ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45128ghsaADVISORY
News mentions
0No linked articles in our index yet.