What is the CVSS score of CVE-2026-21309?

CVE-2026-21309 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Magento are affected by CVE-2026-21309?

Adobe Commerce installations running versions 2.4.9-alpha3 through 2.4.4-p16 are vulnerable to an authorization bypass that could allow attackers to circumvent security controls and access restricted…

Magento CVE-2026-21309

HIGH

Incorrect Authorization (CWE-863)

2026-03-11 psirt@adobe.com

Adobe Magento Commerce Commerce B2b

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 11, 2026 - 03:15 nvd

HIGH 7.5

DescriptionNVD

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.

AnalysisAI

Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from improper access controls that allow attackers to bypass security features and view sensitive information without authentication or user interaction. Multiple supported versions remain vulnerable as no patch is currently available.

RemediationAI

Within 24 hours: Inventory all Adobe Commerce instances and confirm versions against the affected list; assess whether production systems are exposed. Within 7 days: Implement compensating controls (WAF rules blocking exploitation patterns, network segmentation restricting admin access, disable non-essential features); contact Adobe for patch availability timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-21309 vulnerability details – vuln.today

Back

Magento CVE-2026-21309

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code