Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions before 2.4.4-p10, 2.4.5-p9, 2.4.6-p7, 2.4.7-p2 have an Improper Access Control bug that lets low-privileged attackers bypass security measures with low integrity impact.
Vulnerability
Overview
CVE-2024-45130 is an Improper Access Control vulnerability in Adobe Commerce. The root cause is insufficient enforcement of access controls on certain operations, allowing a low-privileged attacker to bypass intended security restrictions [1]. This affects all versions earlier than the specified patches across the 2.4.4, 2.4.5, 2.4.6, and 2.4.7 release lines.
Exploitation
Prerequisites
An attacker must already have low-level authenticated access to the Adobe Commerce instance, such as a store administrator or customer account with limited privileges. Exploitation requires no user interaction and can be carried out remotely. The exact attack surface is not detailed, but the vulnerability likely involves a direct request or API call that incorrectly authorizes the action.
Impact
The primary impact is on integrity, rated as low. A successful attack could allow the attacker to modify certain data or settings that should be protected, but not to gain complete control or read sensitive information. Confidentiality and availability are not affected.
Mitigation
Adobe has released patched versions: 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, and 2.4.4-p11. All users running prior versions should upgrade immediately. No workarounds have been published. The source code is available in the Magento repository [2] for review.
- NVD - CVE-2024-45130
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v3v6-jfvw-m576ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45130ghsaADVISORY
News mentions
0No linked articles in our index yet.