Adobe Commerce | Incorrect Authorization (CWE-863)
Description
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to an incorrect authorization bug that lets low-privileged attackers escalate privileges and compromise data integrity.
Vulnerability
Overview
CVE-2025-54267 is an Incorrect Authorization vulnerability affecting Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. The root cause lies in insufficient access control checks, which allows a low-privileged attacker to bypass intended security measures [1].
Exploitation
An attacker with low privileges can exploit this flaw without any user interaction. The attack does not require social engineering or additional authentication steps beyond the initial low-privileged session. The vulnerability is network-accessible, meaning the attacker only needs to send crafted requests to the affected Adobe Commerce instance [1].
Impact
Successful exploitation enables the attacker to gain unauthorized access to elevated privileges, specifically increasing the integrity impact to high. This means the attacker could modify critical data or system configurations, potentially leading to data corruption, unauthorized changes to product listings, or other integrity violations [1].
Mitigation
Adobe has not yet released a security patch for this vulnerability as of the publication date. Users are advised to monitor the official Adobe Security Bulletin and the Magento Open Source repository [2] for updates. Until a fix is available, administrators should review and restrict low-privileged user permissions and apply network-level controls to limit exposure.
- NVD - CVE-2025-54267
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha3 | 2.4.9-alpha3 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p3 | 2.4.8-p3 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p8 | 2.4.7-p8 |
magento/community-editionPackagist | < 2.4.6-p13 | 2.4.6-p13 |
Affected products
2- Range: <=2.4.9-alpha2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qvwr-p3hj-j6jfghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-94.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-54267ghsaADVISORY
News mentions
0No linked articles in our index yet.