Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that allows a limited security feature bypass through user interaction.
Vulnerability
Overview
CVE-2025-49550 is an Incorrect Authorization vulnerability affecting Adobe Commerce (including Magento Open Source) versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, and earlier. The root cause lies in improper enforcement of access controls, allowing an attacker to bypass intended security restrictions. This flaw is classified as a security feature bypass [1].
Exploitation
Exploitation of this vulnerability requires user interaction, meaning an attacker must convince a legitimate user to perform a specific action, such as clicking a malicious link or opening a crafted file. The attack vector is not fully detailed in the advisory, but the requirement for user interaction suggests a social engineering component. No special network access or authentication is described as necessary, though the attacker may need to be unauthenticated to craft the initial request [1].
Impact
A successful attack could lead to limited unauthorized access to affected systems. The vulnerability is rated with a CVSS v4.0 score, though the vector string and exact severity have not yet been provided by NVD. The impact is described as a security feature bypass, meaning the attacker may be able to circumvent protections like access control lists or permission checks to gain capabilities not intended for their user role [1].
Mitigation
Adobe has not yet released a patch for this vulnerability in the affected versions. Users are advised to monitor the Adobe Security Bulletin and the Magento Open Source repository for updates [2]. Until a patch is available, organizations should enforce strict user interaction policies, limit exposure of administrative interfaces, and apply general security best practices to reduce the risk of exploitation.
- NVD - CVE-2025-49550
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p6 | 2.4.7-p6 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p11 | 2.4.6-p11 |
magento/community-editionPackagist | < 2.4.5-p13 | 2.4.5-p13 |
Affected products
4- Range: <=2.4.8
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p6+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p6
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8hcx-xvww-6c6hghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49550ghsaADVISORY
News mentions
0No linked articles in our index yet.