Adobe Commerce | Insufficiently Protected Credentials (CWE-522)
Description
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce insufficiently protected credentials allow high-privileged attackers to bypass security features and access protected resources.
Vulnerability
Details
The vulnerability is an Insufficiently Protected Credentials issue in Adobe Commerce. Affected versions include 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, and 2.4.8-beta2 and earlier. The root cause is that credentials are not adequately protected, allowing a high-privileged attacker to bypass security features [1].
Exploitation
Exploitation requires high privileges (e.g., admin-level access). No user interaction is needed. The attacker can obtain sensitive credential information, leading to unauthorized access to protected resources [1].
Impact
Successful exploitation allows the attacker to gain unauthorized access to protected resources, potentially compromising the entire system and leading to further data breaches or system takeover.
Mitigation
Adobe has released patches in later versions. Users should upgrade to the latest patched versions to remediate this vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p5 | 2.4.7-p5 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p10 | 2.4.6-p10 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p12 | 2.4.5-p12 |
magento/community-editionPackagist | < 2.4.4-p13 | 2.4.4-p13 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-beta2 | 2.4.8-beta2 |
Affected products
4- Range: <=2.4.7-p4, <=2.4.6-p9, <=2.4.5-p11, <=2.4.4-p12, <=2.4.8-beta2
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p5+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p5
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2r94-wm5v-4prxghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-26.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27192ghsaADVISORY
News mentions
0No linked articles in our index yet.