CVE-2026-21289
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Tags
Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.
Analysis
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from an authorization bypass flaw that allows unauthenticated attackers to view sensitive information without user interaction. The vulnerability exploits improper access controls to circumvent security protections, exposing confidential data to remote threat actors. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Adobe Commerce instances and identify those running affected versions (2.4.4-p16 and earlier). Within 7 days: Implement WAF rules to detect and block authorization bypass attempts; enable enhanced logging for admin and privileged user activity; segment Adobe Commerce environments from critical systems where possible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today