AIKIDO-2025-10576

magento/product-enterprise-edition is vulnerable to Incorrect Authorization

Incorrect AuthorizationCVE-2025-49556 Published Aug 25, 2025

Critical Risk

This Affects:

magento/product-enterprise-edition

2.0.0 - 2.4.4-p14

Fixed in 2.4.4-p15

2.4.5 - 2.4.5-p13

Fixed in 2.4.5-p14

2.4.6 - 2.4.6-p11

Fixed in 2.4.6-p12

2.4.7 - 2.4.7-p6

Fixed in 2.4.7-p7

2.4.8 - 2.4.8-p1

Fixed in 2.4.8-p2

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to several security risks: successful exploitation of known flaws can result in security feature bypass, privilege escalation, arbitrary file system read, and application denial-of-service (DoS) in Adobe Commerce and Magento Open Source platforms. The issues include improper input validation (CWE-20), CSRF (CWE-352), incorrect authorization (CWE-863), stored cross-site scripting (CWE-79), TOCTOU race conditions (CWE-367), and path traversal (CWE-22).

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

magento/product-enterprise-edition is vulnerable to Incorrect Authorization in versions 2.4.8 - 2.4.8-p1, 2.4.7 - 2.4.7-p6, 2.4.6 - 2.4.6-p11, 2.4.5 - 2.4.5-p13 and 2.0.0 - 2.4.4-p14.