Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass allowing read only access. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions before 2.4.8-beta1 contain an improper access control vulnerability allowing low-privileged attackers to gain unauthorized read-only access via user interaction.
Vulnerability
Overview CVE-2025-24429 is an Improper Access Control vulnerability in Adobe Commerce affecting versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. The flaw allows a security feature bypass, enabling unauthorized read-only access to resources that should be restricted [1].
Attack
Vector Exploitation requires a low-privileged attacker with valid credentials. The attacker can trigger the issue through user interaction, such as clicking a malicious link or manipulating a request. The vulnerability stems from insufficient authorization checks, allowing bypass of intended access controls [1].
Impact
Successful exploitation grants the attacker read-only access to sensitive data or functionality. This breach of confidentiality could expose customer information, order details, or other protected content. The attack does not require administrative privileges but relies on the victim's interaction [1].
Mitigation
Adobe has released security updates to address this vulnerability. Users should upgrade to the latest patched versions: 2.4.8 (or later), 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, or higher. No workarounds are documented. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.8-beta1, <=2.4.7-p3, <=2.4.6-p8, <=2.4.5-p10, <=2.4.4-p11
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-656q-fx2w-8ccvghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24429ghsaADVISORY
News mentions
0No linked articles in our index yet.