CVE-2026-21286: Adobe Commerce B2B Auth Bypass Flaw

CVE-2026-21286 Overview

CVE-2026-21286 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. The flaw allows a remote, unauthenticated attacker to bypass security controls and obtain limited unauthorized read access to data. Exploitation requires no user interaction and can be initiated over the network. Adobe addressed the issue in its APSB26-05 security bulletin.

Affected versions include Adobe Commerce 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier releases, along with corresponding Magento Open Source and Commerce B2B builds.

Critical Impact

A network-accessible attacker can bypass authorization controls in Adobe Commerce storefronts to read data they should not be able to view, with no authentication or user interaction required.

Affected Products

• Adobe Commerce (2.4.4 through 2.4.9-alpha3 patch lines)
• Adobe Commerce B2B (1.3.3 through 1.5.3-alpha3 patch lines)
• Magento Open Source (2.4.5 through 2.4.9-alpha3 patch lines)

Discovery Timeline

• 2026-03-11 - CVE-2026-21286 published to NVD
• 2026-03-11 - Last updated in NVD database
• Vendor advisory - Adobe published Adobe Magento Security Advisory APSB26-05

Technical Details for CVE-2026-21286

Vulnerability Analysis

The vulnerability is classified under CWE-863: Incorrect Authorization. Adobe Commerce performs an authorization check, but the check evaluates conditions incorrectly, allowing requests that should be denied. As a result, an attacker can issue requests that pass through the access control logic and reach protected resources.

The impact is limited to confidentiality. An attacker gains read access to a subset of data exposed by the affected endpoint, but cannot modify data or disrupt service through this flaw alone. The exposure is meaningful in e-commerce contexts where customer, order, or catalog data may be reachable.

Root Cause

The root cause is a flawed authorization decision in Adobe Commerce code paths that handle resource access. Rather than missing the check entirely, the affected logic returns an incorrect authorization result for certain request states, treating an unauthorized caller as permitted. This pattern is typical of [CWE-863] defects where guard conditions, role comparisons, or scope checks contain logic errors.

Attack Vector

The vulnerability is reachable over the network against any exposed Adobe Commerce, Commerce B2B, or Magento Open Source instance running an affected version. The attacker does not need credentials or a valid session, and the victim does not need to interact with attacker-controlled content. The attacker sends crafted HTTP requests to the storefront or API endpoint and receives data that authorization should have blocked.

No public proof-of-concept exploit is currently listed in NVD references, no entry exists in the CISA Known Exploited Vulnerabilities catalog, and no Exploit-DB entry has been published. The Adobe advisory (APSB26-05) is the authoritative reference for affected components and fixed versions.

Detection Methods for CVE-2026-21286

Indicators of Compromise

• Unexpected HTTP 200 responses to anonymous requests targeting endpoints normally requiring authentication, particularly under /rest/, /graphql, and admin or B2B API paths.
• Spikes in outbound data volume from storefront responses to single client IPs without corresponding login activity in application logs.
• Repeated requests from the same source iterating over numeric identifiers (orders, customers, quotes) returning non-error responses.

Detection Strategies

• Inventory all Adobe Commerce, Commerce B2B, and Magento Open Source instances and compare installed versions against the fixed releases listed in APSB26-05.
• Review web server and application logs for anonymous access to endpoints that should require authentication, focusing on the period since the affected version was deployed.
• Correlate access logs with authentication logs to identify sessions where data was returned without a prior successful login event.

Monitoring Recommendations

• Enable verbose logging on Magento API gateways and forward logs to a centralized analytics platform for retention and querying.
• Add web application firewall rules to alert on anonymous access patterns to sensitive paths and to rate-limit enumeration attempts.
• Monitor Adobe security bulletins for additional advisories tied to APSB26-05 and apply updates as they become available.

How to Mitigate CVE-2026-21286

Immediate Actions Required

• Apply the security updates referenced in the Adobe Magento Security Advisory APSB26-05 to every affected Adobe Commerce, Commerce B2B, and Magento Open Source instance.
• Restrict network exposure of administrative and B2B API endpoints to trusted IP ranges until patches are deployed.
• Audit recent access logs for evidence of unauthorized data retrieval and rotate any credentials or tokens that may have been exposed.

Patch Information

Adobe released fixes in security bulletin APSB26-05. Administrators should upgrade to the patched releases that supersede 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16, and to the corresponding Commerce B2B patch levels. Refer to the vendor advisory for the exact fixed version numbers per release train.

Workarounds

• Place affected storefronts behind a web application firewall with rules that deny anonymous access to API and admin paths until the patch is applied.
• Disable or firewall off Commerce B2B and unused REST and GraphQL endpoints to reduce the exposed attack surface.
• Require authentication at the reverse proxy or CDN layer for non-public endpoints as a temporary compensating control.

# Verify installed Magento/Adobe Commerce version
php bin/magento --version

# Apply Composer-based update once the patched version is released
composer require magento/product-community-edition=<patched-version> --no-update
composer update
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento cache:flush