CVE-2026-21309 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-21309

CVE-2026-21309

March 11, 2026

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.

Affected Packages

magento/community-edition (PHP):

Affected version(s) >=2.4.6-p1 <2.4.6-p14

Fix Suggestion:

Update to version 2.4.6-p14

magento/community-edition (PHP):

Affected version(s) >=2.4.5-p1 <2.4.5-p16

Fix Suggestion:

Update to version 2.4.5-p16

magento/community-edition (PHP):

Affected version(s) >=2.4.8-p1 <2.4.8-p4

Fix Suggestion:

Update to version 2.4.8-p4

magento/community-edition (PHP):

Affected version(s) >=2.4.7-p1 <2.4.7-p9

Fix Suggestion:

Update to version 2.4.7-p9

magento/community-edition (PHP):

Affected version(s) >=2.4.9-alpha1 <2.4.9-beta1

Fix Suggestion:

Update to version 2.4.9-beta1

magento/community-edition (PHP):

Affected version(s) >=2.4.4-p1 <2.4.4-p17

Fix Suggestion:

Update to version 2.4.4-p17

Related Resources (1)

https://helpx.adobe.com/security/products/magento/apsb26-05.html

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Incorrect Authorization

EPSS

Base Score:

0.13