Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect confidentiality. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to an Improper Authorization bug allowing low-privileged attackers to escalate privileges and bypass security measures, impacting confidentiality without user interaction.
Vulnerability
Overview
CVE-2024-45132 is an Improper Authorization vulnerability in Adobe Commerce that affects versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10, and earlier [1]. The root cause is insufficient enforcement of authorization checks, which allows a low-privileged authenticated attacker to escalate privileges [1].
Attack
Vector
To exploit this vulnerability, an attacker must have low-privileged access to an affected Adobe Commerce instance [1]. The attack can be carried out over the network, and no user interaction is required for exploitation, making it straightforward for an authenticated adversary to attempt privilege escalation [1].
Impact
Successful exploitation enables the attacker to bypass existing security measures and affect the confidentiality of the system [1]. While the immediate impact is on confidentiality, privilege escalation could lead to broader access to sensitive data stored within the e-commerce platform.
Mitigation
Adobe has addressed this vulnerability in the following releases: 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10, though the advisory notes that earlier versions remain affected [1]. Users are strongly advised to upgrade to the latest patched version of Adobe Commerce or apply the appropriate security update. Adobe Commerce is part of the Magento project, with source code available on GitHub [2].
- NVD - CVE-2024-45132
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5f64-ppmg-cvvmghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45132ghsaADVISORY
News mentions
0No linked articles in our index yet.