CVE-2026-21359
March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
Affected Packages
magento/community-edition (PHP):
Affected version(s) >=2.4.5-p1 <2.4.5-p16Fix Suggestion:
Update to version 2.4.5-p16magento/community-edition (PHP):
Affected version(s) >=2.4.9-alpha1 <2.4.9-beta1Fix Suggestion:
Update to version 2.4.9-beta1magento/community-edition (PHP):
Affected version(s) >=2.4.4-p1 <2.4.4-p17Fix Suggestion:
Update to version 2.4.4-p17magento/community-edition (PHP):
Affected version(s) >=2.4.6-p1 <2.4.6-p14Fix Suggestion:
Update to version 2.4.6-p14magento/community-edition (PHP):
Affected version(s) >=2.4.7-p1 <2.4.7-p9Fix Suggestion:
Update to version 2.4.7-p9magento/community-edition (PHP):
Affected version(s) >=2.4.8-p1 <2.4.8-p4Fix Suggestion:
Update to version 2.4.8-p4Related ResourcesĀ (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
4.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Incorrect Authorization
EPSS
Base Score:
0.07
