Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Network-reachable but requires an existing high-privilege account (PR:H) with low complexity and no user interaction; incorrect authorization yields high confidentiality read impact with scope change and minor availability effect, no integrity impact.
Primary rating from Vendor (adobe).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.
AnalysisAI
Security feature bypass in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks plugin allows a high-privileged, authenticated attacker to defeat an authorization check (CWE-863) and gain unauthorized read access to data that should be restricted. The flaw is network-reachable with low complexity, requires no user interaction, and changes scope, so the exposure can reach beyond the initially vulnerable component. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold a high-privileged (administrative or equivalent) authenticated account on the Adobe Commerce / Magento instance - the CVSS vector's PR:H makes elevated privileges a hard prerequisite and is the primary factor limiting real-world exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L, base 7.6) describes a network-reachable, low-complexity issue that nonetheless requires high privileges (PR:H) - the attacker must already hold an elevated/administrative account, which is the single largest limiting factor and pulls real-world risk well below what the network vector alone might suggest. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a high-privilege Adobe Commerce account - for example a compromised administrator or a malicious insider - sends crafted requests over the network to the affected functionality. Because the authorization check is applied incorrectly, the platform returns restricted data the account should not be able to read, and the changed scope lets that exposure extend to resources beyond the immediately targeted component. … |
| Remediation | Apply the fixes described in Adobe security bulletin APSB26-73 (https://helpx.adobe.com/security/products/magento/apsb26-73.html); Patch available per vendor advisory, though an exact fixed version number is not present in the supplied data and must be taken directly from that bulletin for each edition (Adobe Commerce, Adobe Commerce B2B, Magento Open Source) and for the Webhooks plugin - do not assume a version not stated there. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all instances of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source running in your environment and document their versions; disable the Webhooks plugin if not actively required; audit administrative users and revoke unnecessary access, retaining only essential admin accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Commerce
View allRemote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current u
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Inj
Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file
Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plug
Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugi
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44414
GHSA-q859-ffv8-vcmh