Cyber Resilience

CVE-2026-21309

High

Published: 11 March 2026

Published
11 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0015 35.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21309 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Commerce. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21309 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. Published on 2026-03-11, this issue enables a security feature bypass, allowing attackers to gain unauthorized view access to data. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.

Unauthenticated attackers with network access to the affected Adobe Commerce instance can exploit this vulnerability without requiring user interaction. Exploitation bypasses authorization controls, resulting in unauthorized read access to sensitive data that should otherwise be protected.

Adobe's security bulletin APSB26-05, detailed at https://helpx.adobe.com/security/products/magento/apsb26-05.html, addresses this issue for the specified versions.

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view…

more

access of data. Exploitation of this issue does not require user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authz bypass in public-facing Adobe Commerce web app directly enables T1190 for unauthenticated network-based data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34645Same product: Adobe Commerce
CVE-2026-21289Same product: Adobe Commerce
CVE-2026-34646Same product: Adobe Commerce
CVE-2025-24409Same product: Adobe Commerce
CVE-2025-24434Same product: Adobe Commerce
CVE-2026-34647Same product: Adobe Commerce
CVE-2026-34648Same product: Adobe Commerce
CVE-2026-21284Same product: Adobe Commerce
CVE-2025-24438Same product: Adobe Commerce
CVE-2025-54236Same product: Adobe Commerce

Affected Assets

adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4
adobe
commerce b2b
1.3.3, 1.3.4, 1.3.5, 1.4.2, 1.5.2 · ≤ 1.3.3
adobe
magento
2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9 · ≤ 2.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to resources, directly preventing the incorrect authorization bypass that allows unauthorized data view access in this CVE.

prevent

SI-2 requires timely identification, reporting, and correction of system flaws like this CVE, mitigating exploitation through patching affected Adobe Commerce versions.

prevent

AC-6 enforces least privilege to restrict access to only necessary resources, partially limiting the impact of unauthorized view access resulting from the authorization bypass.

References