Platform
adobe
Component
adobe-commerce
Fixed in
2.4.5-p15
2.4.6-p13
2.4.7-p8
2.4.8-p3
2.4.9-alpha3
CVE-2026-21285 describes an Incorrect Authorization vulnerability within Adobe Commerce. This flaw allows a low-privileged attacker to bypass security controls and achieve limited, unauthorized access to specific features. The vulnerability impacts versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 and earlier. Adobe has released patches to address this issue.
The Incorrect Authorization vulnerability allows an attacker to circumvent intended security restrictions within Adobe Commerce. This means an attacker, even with limited privileges, can access functionalities or data they shouldn't be able to reach. While the impact is described as 'limited unauthorized access,' the specific features affected are not detailed in the CVE description. This could potentially lead to data exposure, manipulation of configurations, or even escalation of privileges depending on the bypassed security measures. The lack of user interaction required for exploitation makes this vulnerability particularly concerning, as attacks can be automated and launched at scale.
CVE-2026-21285 was publicly disclosed on March 11, 2026. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability's CVSS score of 4.3 (MEDIUM) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not currently known, but the lack of a public exploit does not guarantee it won't be exploited in the future.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21285 is to upgrade Adobe Commerce to a patched version. Adobe has released updates to address this vulnerability; consult the official Adobe Security Bulletin for the specific version containing the fix. If immediate patching is not possible due to compatibility concerns or testing requirements, consider implementing stricter access controls and reviewing existing security policies to minimize the potential impact of a successful exploit. Regularly monitor Adobe Commerce logs for any suspicious activity that might indicate an attempted bypass. After upgrading, confirm the fix by attempting to access restricted features with a low-privileged user account and verifying that access is denied.
Update Adobe Commerce to the latest available version. See the Adobe security bulletin for more information and the fixed versions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21285 is a MEDIUM severity vulnerability in Adobe Commerce allowing attackers to bypass security measures and gain limited unauthorized access without user interaction.
You are affected if you are running Adobe Commerce versions 0–2.4.4-p16. Check your version and upgrade to a patched release as soon as possible.
Upgrade to a patched version of Adobe Commerce. Consult the official Adobe Security Bulletin for the specific version containing the fix.
As of March 11, 2026, there are no publicly known active exploitation campaigns targeting CVE-2026-21285.
Refer to the official Adobe Security Bulletin for details and patching instructions: [https://www.adobe.com/security/advisories/](https://www.adobe.com/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.