Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to an improper access control flaw that lets an attacker bypass security features and gain unauthorized access without user interaction.
What the vulnerability is
CVE-2025-27191 is an improper access control vulnerability in Adobe Commerce affecting versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier [1]. The root cause is a flaw in how the software enforces authorization, allowing an attacker to bypass intended security measures [1].
How it's exploited
Exploitation does not require user interaction, meaning the attack can be carried out without triggering any user action [1]. The vulnerability is network-based and does not require authentication—the attacker simply sends a crafted request to the affected Adobe Commerce instance to bypass access controls [1].
Impact
Successful exploitation results in a security feature bypass, granting the attacker unauthorized access to resources or functionality that should be restricted [1]. This could include reading or modifying sensitive data, performing administrative actions, or accessing restricted areas of the e-commerce platform. The vendor has not provided a CVSS version 4.0 score at the time of publication [1].
Mitigation
As of the publication date (8 April 2025), Adobe has released patched versions to address the vulnerability. Adobe Commerce users should upgrade to 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, or 2.4.8-beta3 (or later) as applicable. The source code is available through the Magento Open Source repository [2], and it is recommended to apply the security update promptly.
- NVD - CVE-2025-27191
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p5 | 2.4.7-p5 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p10 | 2.4.6-p10 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p12 | 2.4.5-p12 |
magento/community-editionPackagist | < 2.4.4-p13 | 2.4.4-p13 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-beta2 | 2.4.8-beta2 |
Affected products
4- Range: <=2.4.8-beta2
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p5+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p5
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vhcq-4xrm-2cr2ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-26.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27191ghsaADVISORY
News mentions
0No linked articles in our index yet.