Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce has an information exposure vulnerability that allows an admin attacker to bypass security features, potentially aiding further attacks.
CVE-2024-45133 is an information exposure vulnerability affecting Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier [1]. The flaw resides in the software's access control mechanisms where sensitive data is improperly disclosed to authenticated users with administrative privileges [1]. This exposure stems from insufficient validation of request parameters or improper handling of output, allowing the sensitive information to be leaked during standard admin operations.
Exploitation and
Attack Surface An attacker must already possess administrative credentials to exploit this vulnerability, meaning the attack surface is limited to authenticated admin users [1]. The exploitation does not require any additional user interaction [1]. The vulnerability can be leveraged over the network by crafting specific API calls or HTTP requests that trigger the information leak [1]. While authentication is required, the low complexity of the attack vector makes it a viable stepping stone for broader intrusions.
Impact
The primary impact is on confidentiality, as the attacker can read sensitive data that should be restricted, such as configuration parameters or other internal details [1]. This information exposure enables a security feature bypass, allowing the attacker to circumvent access controls that normally protect certain resources [1]. Although the direct confidentiality impact is considered low, the leaked information can be used to plan and execute more severe attacks, such as privilege escalation or data theft [1].
Mitigation
Adobe has addressed this vulnerability in the latest patched releases of Adobe Commerce. Users should update to the versions specified in Adobe's security bulletin to apply the fix [1]. As of publication, there is no evidence of active exploitation in the wild, but the vulnerability is relevant for administrators managing Adobe Commerce installations.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-j3mh-wx5f-2vhgghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45133ghsaADVISORY
News mentions
0No linked articles in our index yet.