Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions up to 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, and 2.4.4-p11 contain an improper access control vulnerability allowing low-privileged attackers to bypass security and gain unauthorized write access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions up to 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, and 2.4.4-p11 contain an improper access control vulnerability allowing low-privileged attackers to bypass security and gain unauthorized write access.
This vulnerability is an Improper Access Control issue present in multiple versions of Adobe Commerce and Magento Open Source. The root cause lies in insufficient enforcement of access restrictions, allowing a low-privileged attacker to bypass intended security mechanisms [1].
Exploitation requires only low-privileged access to the application; no user interaction is needed. An attacker can leverage this flaw to perform unauthorized write operations, which implies the ability to modify data or configuration that should be protected [1].
The impact is a security feature bypass resulting in unauthorized write access. This could lead to data corruption, privilege escalation, or further compromise of the e-commerce platform, depending on the exact data the attacker can target [1].
Adobe has released security updates for the affected versions. Users are strongly advised to upgrade to the latest patched releases to mitigate this vulnerability. The advisory does not mention a workaround [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
3- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v3hq-g424-5mggghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24427ghsaADVISORY
News mentions
0No linked articles in our index yet.