Is Commerce B2b affected by CVE-2026-21309?

Adobe Commerce installations running versions 2.4.9-alpha3 through 2.4.4-p16 are vulnerable to an authorization bypass that could allow attackers to circumvent security controls and access restricted functionality.

CVE-2026-21309

HIGH

2026-03-11 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 11, 2026 - 03:15 nvd

HIGH 7.5

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.

Analysis

Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from improper access controls that allow attackers to bypass security features and view sensitive information without authentication or user interaction. Multiple supported versions remain vulnerable as no patch is currently available.

Remediation

Within 24 hours: Inventory all Adobe Commerce instances and confirm versions against the affected list; assess whether production systems are exposed. Within 7 days: Implement compensating controls (WAF rules blocking exploitation patterns, network segmentation restricting admin access, disable non-essential features); contact Adobe for patch availability timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-21309 vulnerability details – vuln.today

Back

CVE-2026-21309

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-21309

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code