Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality and integrity. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is affected by an improper authorization vulnerability allowing low-privileged attackers to bypass security measures, impacting confidentiality and integrity.
Vulnerability
Overview CVE-2024-45131 is an Improper Authorization vulnerability in Adobe Commerce, affecting versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10, and earlier. The root cause lies in insufficient authorization checks, which can be exploited by a low-privileged attacker to bypass intended security restrictions [1].
Exploitation
Conditions An attacker must have low-privileged access to the system, but no user interaction is required for exploitation. This makes the vulnerability particularly dangerous as it can be triggered programmatically or through automated means without relying on social engineering [1].
Impact
Successful exploitation results in a bypass of security features, leading to a low impact on both confidentiality and integrity. While the impact is limited, it could enable further attacks or unauthorized access to sensitive data [1].
Mitigation
Adobe has released security updates to address this issue. Users are advised to upgrade to the latest patched versions: 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, or later. No workarounds have been disclosed [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xc5p-773w-m3pmghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45131ghsaADVISORY
News mentions
0No linked articles in our index yet.