CVE-2026-21309
Published: 11 March 2026
Summary
CVE-2026-21309 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Commerce. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21309 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16, and earlier. Published on 2026-03-11, this issue enables a security feature bypass, allowing attackers to gain unauthorized view access to data. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.
Unauthenticated attackers with network access to the affected Adobe Commerce instance can exploit this vulnerability without requiring user interaction. Exploitation bypasses authorization controls, resulting in unauthorized read access to sensitive data that should otherwise be protected.
Adobe's security bulletin APSB26-05, detailed at https://helpx.adobe.com/security/products/magento/apsb26-05.html, addresses this issue for the specified versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11061
Vulnerability details
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view…
more
access of data. Exploitation of this issue does not require user interaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authz bypass in public-facing Adobe Commerce web app directly enables T1190 for unauthenticated network-based data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly preventing the incorrect authorization bypass that allows unauthorized data view access in this CVE.
SI-2 requires timely identification, reporting, and correction of system flaws like this CVE, mitigating exploitation through patching affected Adobe Commerce versions.
AC-6 enforces least privilege to restrict access to only necessary resources, partially limiting the impact of unauthorized view access resulting from the authorization bypass.