Skip to main content

Adobe Commerce CVE-2026-47996

| EUVDEUVD-2026-44414 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-14 adobe GHSA-q859-ffv8-vcmh
6.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (adobe) PRIMARY
HIGH
qualitative
NVD
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.6 HIGH

Network-reachable but requires an existing high-privilege account (PR:H) with low complexity and no user interaction; incorrect authorization yields high confidentiality read impact with scope change and minor availability effect, no integrity impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 15, 2026 - 14:37 NVD
HIGH MEDIUM
CVSS changed
Jul 15, 2026 - 14:37 NVD
7.6 (HIGH) 6.8 (MEDIUM)
Analysis Generated
Jul 14, 2026 - 20:58 vuln.today
CVE Published
Jul 14, 2026 - 19:44 nvd
HIGH 7.6

DescriptionNVD

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Security feature bypass in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks plugin allows a high-privileged, authenticated attacker to defeat an authorization check (CWE-863) and gain unauthorized read access to data that should be restricted. The flaw is network-reachable with low complexity, requires no user interaction, and changes scope, so the exposure can reach beyond the initially vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege Commerce account
Delivery
Send crafted request over network
Exploit
Bypass incorrect authorization check
Execution
Read restricted cross-scope data
Impact
Exfiltrate sensitive commerce data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold a high-privileged (administrative or equivalent) authenticated account on the Adobe Commerce / Magento instance - the CVSS vector's PR:H makes elevated privileges a hard prerequisite and is the primary factor limiting real-world exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L, base 7.6) describes a network-reachable, low-complexity issue that nonetheless requires high privileges (PR:H) - the attacker must already hold an elevated/administrative account, which is the single largest limiting factor and pulls real-world risk well below what the network vector alone might suggest. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a high-privilege Adobe Commerce account - for example a compromised administrator or a malicious insider - sends crafted requests over the network to the affected functionality. Because the authorization check is applied incorrectly, the platform returns restricted data the account should not be able to read, and the changed scope lets that exposure extend to resources beyond the immediately targeted component. …
Remediation Apply the fixes described in Adobe security bulletin APSB26-73 (https://helpx.adobe.com/security/products/magento/apsb26-73.html); Patch available per vendor advisory, though an exact fixed version number is not present in the supplied data and must be taken directly from that bulletin for each edition (Adobe Commerce, Adobe Commerce B2B, Magento Open Source) and for the Webhooks plugin - do not assume a version not stated there. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all instances of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source running in your environment and document their versions; disable the Webhooks plugin if not actively required; audit administrative users and revoke unnecessary access, retaining only essential admin accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48358 CRITICAL
10.0 Jul 14

Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current u

CVE-2021-36020 CRITICAL
9.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Inj

CVE-2026-48356 CRITICAL
9.6 Jul 14

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file

CVE-2026-47984 CRITICAL
9.1 Jul 14

Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plug

CVE-2026-47988 CRITICAL
9.1 Jul 14

Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugi

CVE-2021-36032 HIGH
8.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36044 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36030 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2026-47992 HIGH
7.2 Jul 14

SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows

CVE-2021-36042 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36041 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36040 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

Share

CVE-2026-47996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy