Adobe Commerce | Improper Access Control (CWE-284)
Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-27206 is an Improper Access Control vulnerability in Adobe Commerce allowing unauthenticated attackers to bypass security features and gain limited write access.
Vulnerability
Overview
CVE-2025-27206 is an Improper Access Control vulnerability affecting Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, and earlier. The root cause lies in insufficient enforcement of access controls, which allows an attacker to bypass intended security mechanisms [1].
Exploitation
Conditions
This vulnerability can be exploited without requiring any user interaction. An unauthenticated attacker does not need to trick an administrator or user into performing any action, lowering the barrier to exploitation. The attacker can trigger the bypass remotely, gaining unauthorized write access to certain resources [1].
Potential
Impact
A successful exploit results in a security feature bypass and limited write access. This means an attacker could modify certain application data or settings, potentially leading to further compromise. While the write access is described as limited, it could still allow actions that impact the integrity of the Adobe Commerce instance [1].
Mitigation
Adobe has released security updates to address this vulnerability in the affected versions. Users are advised to upgrade to the latest patched versions of Adobe Commerce or Magento Open Source. The project source code is available on GitHub for review [2]. No workarounds have been publicly documented; updating to the fixed versions is the recommended course of action.
- NVD - CVE-2025-27206
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p6 | 2.4.7-p6 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p11 | 2.4.6-p11 |
magento/community-editionPackagist | < 2.4.5-p13 | 2.4.5-p13 |
Affected products
4- Range: <=2.4.8, <=2.4.7-p5, <=2.4.6-p10, <=2.4.5-p12, <=2.4.4-p13
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p6+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p6
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g2pj-xmxq-3r9qghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27206ghsaADVISORY
News mentions
0No linked articles in our index yet.