CVE-2025-49556

CWE-863Incorrect Authorization5 documents5 sources
Severity
7.5HIGH
EPSS
0.1%
top 64.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Adobe CommerceAdobe Commerce B2BAdobe Magento+3 more
Timeline
PublishedAug 12

Description

Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

NVDadobe/commerce< 2.4.4+5
NVDadobe/commerce_b2b< 1.3.3+6
CVEListV5adobe/adobe_commerce2.4.4-p14
NVDadobe/magento< 2.4.5+5
Packagistmagento/community-edition2.4.9-alpha12.4.9-alpha2+4

🔴Vulnerability Details

3
CVEList
Adobe Commerce | Incorrect Authorization (CWE-863)2025-08-12
GHSA
Magento has incorrect authorization issue that leads to arbitrary file system read2025-08-12
OSV
Magento has incorrect authorization issue that leads to arbitrary file system read2025-08-12

📋Vendor Advisories

1
Microsoft
Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expr_delete_term function in the libyasm/expr.c component.2024-01-09
CVE-2025-49556 (HIGH CVSS 7.5) | Adobe Commerce versions 2.4.9-alpha | cvebase.io