CVE-2026-21309

CWE-863Incorrect Authorization4 documents4 sources
Severity
7.5HIGH
EPSS
0.1%
top 65.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Adobe CommerceAdobe Commerce B2BAdobe Magento+1 more
Timeline
PublishedMar 11

Description

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDadobe/commerce< 2.4.4+6
NVDadobe/commerce_b2b< 1.3.3+6
CVEListV5adobe/adobe_commerce2.4.4-p16
NVDadobe/magento< 2.4.5+5

🔴Vulnerability Details

2
GHSA
GHSA-c9gx-chv2-76wq: Adobe Commerce versions 22026-03-11
CVEList
Adobe Commerce | Incorrect Authorization (CWE-863)2026-03-11

🕵️Threat Intelligence

1
Wiz
CVE-2026-21309 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-21309 (HIGH CVSS 7.5) | Adobe Commerce versions 2.4.9-alpha | cvebase.io