Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An incorrect authorization flaw in Adobe Commerce lets high-privileged attackers bypass security features and gain limited unauthorized access without user interaction.
Vulnerability
Overview
The vulnerability is an Incorrect Authorization issue in Adobe Commerce that affects versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, and earlier [1]. The root cause lies in improper enforcement of authorization checks for certain high-privilege actions, allowing a security feature bypass [1].
Exploitation
Exploitation requires a high-privileged attacker, such as an administrator or other user with elevated roles [1]. The attack does not require any user interaction, lowering the barrier for successful exploitation. The exact attack vector is not detailed in public advisories, but the flaw likely allows the attacker to invoke functions or access resources that should be restricted even for privileged accounts.
Impact
Successful exploitation enables the attacker to bypass intended security controls and gain limited unauthorized access [1]. This limited access could include reading sensitive data or performing certain actions beyond their authorized scope. However, the impact is described as limited, suggesting full remote code execution or complete system compromise is not achieved through this vulnerability alone [1].
Mitigation
Adobe has not yet released a security patch specifically cited for this CVE. The affected versions are widely used in production e-commerce environments [2]. Adobe Commerce customers should monitor Adobe's security bulletin page and apply any available updates promptly. Because no workaround is documented, updating to a patched version (once released) is the recommended mitigation [1].
- NVD - CVE-2025-49549
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p6 | 2.4.7-p6 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p11 | 2.4.6-p11 |
magento/community-editionPackagist | < 2.4.5-p13 | 2.4.5-p13 |
Affected products
4- Range: <=2.4.8
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p6+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p6
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-85jx-x9r4-45m2ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49549ghsaADVISORY
News mentions
0No linked articles in our index yet.