Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An admin attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is affected by an improper access control vulnerability that lets an admin attacker bypass security measures, with low integrity impact and no user interaction required.
Vulnerability
Overview
CVE-2024-45135 is an Improper Access Control vulnerability in Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier [1]. The root cause is insufficient enforcement of access controls on certain administrative actions, allowing an attacker with admin privileges to bypass intended security measures [1].
Exploitation
An attacker who already has administrative access to an Adobe Commerce instance can exploit this flaw without any user interaction [1]. The attack vector does not require tricking a higher-privileged user; the attacker simply leverages their existing admin role to perform unauthorized operations that the access control policy was designed to prevent [1].
Impact
Successful exploitation results in a low impact on integrity [1]. The attacker may be able to modify configuration settings, templates, or other administrative resources that should be protected by additional access restrictions [1]. This could lead to unauthorized changes in the store's behavior or appearance, though the low integrity rating suggests the scope of manipulation is limited.
Mitigation
Adobe has released security updates to address this vulnerability in the affected versions: 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10 [1]. Merchants are strongly advised to upgrade to the latest patched versions. The open-source Magento project provides the codebase on GitHub [2], and administrators should apply the updates as soon as possible.
- NVD - CVE-2024-45135
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8pxg-gcp4-57wwghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45135ghsaADVISORY
News mentions
0No linked articles in our index yet.