Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce suffers from an improper access control vulnerability allowing attackers to bypass security features and gain unauthorized access without user interaction.
Vulnerability
Overview
CVE-2025-27190 is an Improper Access Control vulnerability in Adobe Commerce affecting versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier [1]. The flaw allows an attacker to bypass security features, leading to unauthorized access.
Exploitation
The vulnerability can be exploited without any user interaction, meaning an attacker can trigger it remotely without requiring the victim to perform any action [1]. The exact attack vector is not detailed, but improper access control typically involves manipulating requests or parameters to access restricted resources.
Impact
Successful exploitation results in a security feature bypass, potentially granting the attacker unauthorized access to sensitive data or administrative functions. This could compromise the confidentiality and integrity of the affected Adobe Commerce installation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p5 | 2.4.7-p5 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p10 | 2.4.6-p10 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p12 | 2.4.5-p12 |
magento/community-editionPackagist | < 2.4.4-p13 | 2.4.4-p13 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-beta2 | 2.4.8-beta2 |
Affected products
4- Range: <=2.4.7-p4, <=2.4.6-p9, <=2.4.5-p11, <=2.4.4-p12, <=2.4.8-beta2
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p5+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p5
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6wq7-cg9h-mj6qghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-26.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27190ghsaADVISORY
News mentions
0No linked articles in our index yet.