Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce low-privilege access control vulnerability leads to privilege escalation and unauthorized field modification.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce low-privilege access control vulnerability leads to privilege escalation and unauthorized field modification.
Vulnerability
Overview CVE-2025-24435 is an Improper Access Control vulnerability in Adobe Commerce affecting versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The issue lies in inadequate authorization checks, allowing a low-privileged attacker to bypass security restrictions and modify limited fields without proper permissions [1].
Exploitation
Conditions Exploitation requires only low-privileged access to an affected Adobe Commerce instance. No user interaction is needed, making the attack easily scalable. An attacker could leverage existing session or API tokens with minimal privileges to trigger the flawed access control logic [1].
Impact
Successful exploitation results in privilege escalation, enabling the attacker to modify certain fields that should be restricted to higher-privileged roles. This could lead to unauthorized changes to product data, customer information, or configuration settings, potentially affecting store operations and data integrity [1].
Mitigation
Adobe has released patches in versions 2.4.4-p12, 2.4.5-p11, 2.4.6-p9, 2.4.7-p4, and 2.4.8-beta2 (or later). Users are strongly advised to upgrade to a fixed version or apply the official security patch. No workarounds have been publicly documented [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
3- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-82p4-55gj-956pghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24435ghsaADVISORY
News mentions
0No linked articles in our index yet.