Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions before 2.4.9-alpha1 contain an Incorrect Authorization vulnerability allowing unauthorized read access without user interaction.
Vulnerability
Overview CVE-2025-49556 is an Incorrect Authorization vulnerability in Adobe Commerce affecting versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14, and earlier [1]. The flaw arises from improper authorization checks, enabling a security feature bypass.
Exploitation
An attacker can exploit this vulnerability without any user interaction or authentication prerequisites [1]. The attack surface is network-based, and successful exploitation does not change the scope of the impact, meaning the compromised component remains within its original security boundary.
Impact
The primary impact is unauthorized read access to sensitive information [1]. Depending on the context, this could include customer data, order details, or other confidential information stored within the Adobe Commerce database.
Mitigation
Adobe has released security updates to address this vulnerability as part of their regular patch cycle. Users should upgrade to a patched version (e.g., 2.4.9-alpha1 or later) to remediate the issue [2]. No workarounds have been published at this time.
- NVD - CVE-2025-49556
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha2 | 2.4.9-alpha2 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p2 | 2.4.8-p2 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p7 | 2.4.7-p7 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p12 | 2.4.6-p12 |
magento/community-editionPackagist | < 2.4.5-p14 | 2.4.5-p14 |
Affected products
2- Range: <=2.4.9-alpha1
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7hrj-3c9x-xv5hghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-71.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49556ghsaADVISORY
News mentions
0No linked articles in our index yet.