External risk intelligence

Adobe Commerce Incorrect Authorization Vulnerability Allows Unauthorized Access.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-47984

Adobe Commerce (formerly Magento) is a widely used e-commerce platform designed to host public-facing storefronts and web applications. By its nature as a web commerce solution, it is typically deployed as an internet-facing web service to facilitate customer transactions, making public accessibility a standard and intended deployment pattern.

Adobe Commerce

2.4.42.4.52.4.6

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An incorrect authorization vulnerability has been identified in Adobe Commerce, a platform used for online stores. This flaw allows unauthorized individuals to bypass security controls, potentially gaining access to sensitive information and systems without needing any interaction from a user. The main concern is confirming whether our environment is relevant and exposed to this threat.

  • Bypasses security, grants unauthorized access.
  • Affects widely used e-commerce platforms.
  • Confirm relevance and exposure for your environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit an incorrect authorization flaw in Adobe Commerce by directly accessing the network to bypass security controls. This allows them to gain unauthorized read and write access to sensitive data without any user interaction being necessary.

  • No special access needed.
  • Bypasses security features.
  • Unauthorized data access.

Live Threat

Current exploitation, exposure, and threat context

Adobe Commerce instances affected by this vulnerability could allow an unauthenticated attacker to bypass security controls, potentially leading to unauthorized access to system data and modification of service behavior. This could occur when the platform is exposed to the internet and an attacker finds a way to exploit the authorization flaw.

  • System data and service integrity.
  • Bypass security measures via network access.
  • Unauthorized read and write access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The application owner for Adobe Commerce or Magento is responsible for addressing this vulnerability. The first step is to confirm the presence and reachability of affected Adobe Commerce instances, determine business criticality, and identify the specific owner for remediation planning.

  • Application owners should manage the issue.
  • Verify exposure and business criticality first.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Adobe Commerce?

Adobe Commerce, formerly known as Magento, is a robust software platform used by businesses to build and manage online stores. It handles essential tasks like product catalogs, customer transactions, and inventory management. Because it is designed to facilitate shopping, it is typically set up as a web-based service accessible to customers over the internet.

What is the vulnerability in CVE-2026-47984?

This CVE involves an 'Incorrect Authorization' flaw, categorized as CWE-863. In plain terms, this means the software fails to properly verify if a user has permission to perform a specific action. Because of this weakness, an unauthorized person can bypass security checks, effectively granting them the ability to read or modify data that should have been protected.

How does an attacker trigger this security flaw?

An attacker triggers this vulnerability by sending specially crafted requests over the network to an affected Adobe Commerce instance. Notably, the flaw does not require any interaction from legitimate users, such as clicking a link or logging in. It cannot be triggered by internal, non-network-based actions because it specifically relies on the ability to reach the application's interface.

Is my instance at risk from CVE-2026-47984?

According to Halo Surface Signal, instances that are internet-facing are at the highest risk because this platform is designed for public commerce. If your Adobe Commerce deployment is reachable from the public internet, it falls into the category of systems that should be prioritized for review, as the vulnerability is exploitable via network access without requiring existing credentials.

What should I do if I run Adobe Commerce?

Your first step is to identify all Adobe Commerce and Magento instances within your environment and verify their current version against the affected list. Once you have an inventory, coordinate with the application owners to assess the business criticality of those specific systems. This information will help you plan and prioritize your next steps for mitigation.

References