Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce has an improper access control vulnerability allowing low-privileged attackers to bypass security and gain unauthorized read access without user interaction.
Root
Cause CVE-2025-24424 is an Improper Access Control vulnerability in Adobe Commerce that affects versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier [1]. The flaw allows an attacker to bypass implemented security measures and gain unauthorized read access to resources that should be protected.
Attack
Vector A low-privileged attacker can exploit this vulnerability without any user interaction [1]. The attacker does not need to trick an administrator or other user; the exploitation can be performed directly against the affected instance. No specific attack vector is disclosed in the available references, but the issue lies in improper enforcement of access controls on certain backend functionality.
Impact
Successful exploitation enables the attacker to bypass security feature restrictions and read sensitive information that should be unavailable to their privilege level [1]. This constitutes a confidentiality breach, potentially exposing customer data, order details, or other protected commerce information.
Mitigation
Adobe has addressed this vulnerability in security updates for the affected versions. Users should upgrade to the latest patched versions of Adobe Commerce or Magento Open Source [2]. No workarounds are publicly documented; applying the vendor-supplied patch is the recommended action.
- NVD - CVE-2025-24424
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-539v-w87w-w62cghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24424ghsaADVISORY
News mentions
0No linked articles in our index yet.