Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352)
Description
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially allowing unauthorized access or modification of sensitive data. Exploitation of this issue requires user interaction in that a victim must visit a malicious website or click on a crafted link. Scope is changed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce CSRF vulnerability allows high-privileged attackers to trick authenticated users into unintended actions, leading to privilege escalation.
Vulnerability
Overview
CVE-2025-49555 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14, and earlier [1]. The root cause is insufficient validation of HTTP requests, allowing an attacker to forge requests on behalf of an authenticated victim.
Exploitation
Conditions
Exploitation requires a high-privileged attacker to craft a malicious link or website [1]. The victim must be authenticated to the Adobe Commerce instance and visit the attacker-controlled page or click the crafted link. No additional privileges are needed beyond the attacker's existing high-privileged account. The scope of the vulnerability is changed, indicating potential impact across different security contexts.
Impact
Successful exploitation enables the attacker to perform unintended actions with the victim's privileges, potentially leading to privilege escalation [1]. This could result in unauthorized access to sensitive data or modification of configuration and content within the application.
Mitigation
Adobe has not yet released a specific patch for this CVE, but users are advised to apply the latest security updates from Adobe or restrict access to trusted networks and users until a fix is available. The affected versions are clearly listed, and upgrading to a non-affected version is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha2 | 2.4.9-alpha2 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p2 | 2.4.8-p2 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p7 | 2.4.7-p7 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p12 | 2.4.6-p12 |
magento/community-editionPackagist | < 2.4.5-p14 | 2.4.5-p14 |
Affected products
2- Range: <=2.4.9-alpha1, <=2.4.8-p1, <=2.4.7-p6, <=2.4.6-p11, <=2.4.5-p13, <=2.4.4-p14
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5777-jj7p-mpqwghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-71.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49555ghsaADVISORY
News mentions
0No linked articles in our index yet.