Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions before 2.4.9-alpha2, 2.4.8-p2, etc., have an incorrect authorization bug that lets low-privileged attackers bypass security and gain unauthorized access without user interaction.
Vulnerability
Details
The vulnerability is an Incorrect Authorization (CWE-863) in Adobe Commerce, affecting versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier [1]. Due to improper authorization checks, the software fails to correctly verify user permissions for certain actions.
Exploitation
A low-privileged authenticated attacker can exploit this flaw without any user interaction [1]. The attacker can send specially crafted requests to bypass security measures, leveraging their existing low-level access to escalate privileges or perform unauthorized operations.
Impact
Successful exploitation allows the attacker to maintain unauthorized access and bypass security controls [1]. This could lead to data leakage, privilege escalation, or full compromise of the affected system.
Mitigation
Users should upgrade to a version of Adobe Commerce that is not listed as affected [1]. For the latest security updates, refer to the official Adobe security bulletin. The Magento Open Source repository [2] may contain relevant code for review.
- NVD - CVE-2025-54263
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha3 | 2.4.9-alpha3 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p3 | 2.4.8-p3 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p8 | 2.4.7-p8 |
magento/community-editionPackagist | < 2.4.6-p13 | 2.4.6-p13 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
2- Range: <=2.4.9-alpha2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-69x9-xp2j-w8g8ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-94.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-54263ghsaADVISORY
News mentions
0No linked articles in our index yet.