Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions 2.4.7-p2 and earlier are affected by an improper access control vulnerability allowing high-privileged attackers to bypass security measures, with low impact on confidentiality.
Overview
CVE-2024-45149 is an Improper Access Control vulnerability affecting Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier [1]. The vulnerability resides in the access control mechanism, failing to properly enforce restrictions, which allows a bypass of intended security policies [1].
Exploitation
A high-privileged attacker can exploit this flaw without requiring any user interaction [1]. The attack can be carried out by a user with administrative or elevated privileges within the application, leveraging the improper access control to circumvent security measures [1].
Impact
Successful exploitation results in a low impact on confidentiality [1]. While the vulnerability enables a security feature bypass, its direct effect on data confidentiality is limited, though it could be combined with other issues to escalate impact [1].
Mitigation
Adobe has addressed this vulnerability in the latest security updates for Adobe Commerce [1]. Users are advised to upgrade to versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 or later to mitigate the risk [1]. The official repository and resources for the project are available on GitHub [2].
- NVD - CVE-2024-45149
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p3 | 2.4.7-p3 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p8 | 2.4.6-p8 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p10 | 2.4.5-p10 |
magento/community-editionPackagist | < 2.4.4-p11 | 2.4.4-p11 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p3+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p3
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p3
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w7rg-7wq2-pjrwghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-73.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45149ghsaADVISORY
News mentions
0No linked articles in our index yet.