Skip to main content

Commerce B2b CVE-2026-21289

HIGH
Incorrect Authorization (CWE-863)
2026-03-11 psirt@adobe.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 11, 2026 - 03:15 nvd
HIGH 7.5

DescriptionCVE.org

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.

AnalysisAI

Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from an authorization bypass flaw that allows unauthenticated attackers to view sensitive information without user interaction. The vulnerability exploits improper access controls to circumvent security protections, exposing confidential data to remote threat actors. Currently no patch is available for affected versions.

Technical ContextAI

Classified as CWE-863 (Incorrect Authorization). Affects Commerce B2B. Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2024-45115 CRITICAL
9.8 Oct 10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication v

CVE-2025-24434 CRITICAL
9.1 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect A

CVE-2025-24410 HIGH
8.7 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross

CVE-2025-24417 HIGH
8.7 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross

CVE-2025-24416 HIGH
8.7 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross

CVE-2025-24415 HIGH
8.7 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross

CVE-2025-24414 HIGH
8.7 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross

CVE-2025-24413 HIGH
8.7 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross

CVE-2025-24412 HIGH
8.7 Feb 11

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross

CVE-2024-45148 HIGH
8.8 Oct 10

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication v

CVE-2026-21290 HIGH
8.7 Mar 11

Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to injec

CVE-2025-47110 HIGH
8.4 Jun 10

Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVS

Share

CVE-2026-21289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy