CVE-2026-34651 Overview
CVE-2026-34651 affects Adobe Commerce and exposes the application to an Uncontrolled Resource Consumption flaw classified under [CWE-400]. An unauthenticated attacker can send crafted network requests that exhaust system resources, producing an application denial-of-service condition. Exploitation requires no user interaction and no privileges, which broadens the population of viable attackers. Adobe published the issue on 2026-05-12 through advisory APSB26-49. The vulnerability affects Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, and earlier releases.
Critical Impact
Remote attackers can trigger a denial-of-service condition against Adobe Commerce storefronts without authentication or user interaction, disrupting transactions and customer access.
Affected Products
- Adobe Commerce 2.4.9-beta1 and earlier
- Adobe Commerce 2.4.8-p4, 2.4.7-p9, 2.4.6-p14
- Adobe Commerce 2.4.5-p16, 2.4.4-p17 and earlier
Discovery Timeline
- 2026-05-12 - CVE-2026-34651 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-34651
Vulnerability Analysis
The flaw is an Uncontrolled Resource Consumption issue [CWE-400] in Adobe Commerce. The application accepts attacker-controlled input over the network and processes it without bounding the resources committed to the operation. Repeated or crafted requests can saturate CPU, memory, or other backend resources. The result is a denial-of-service condition that interrupts availability for legitimate customers and administrators. The vulnerability impacts availability only, leaving confidentiality and integrity unaffected.
Root Cause
The underlying defect is the absence of strict limits on resources consumed when handling specific request types. Adobe Commerce does not enforce sufficient rate, size, or computational ceilings on the affected code path. Attackers leverage this gap by issuing input that forces expensive processing or sustained allocation. Refer to the Adobe Security Advisory APSB26-49 for vendor technical context.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker reaches the exposed Adobe Commerce endpoint and submits crafted requests that trigger resource exhaustion. No user interaction is required, and the attacker does not need an account on the targeted storefront. Public-facing Magento and Commerce deployments are directly reachable, which increases real-world exposure. Because the vulnerability is exploitable remotely against the storefront tier, internet-exposed instances should be treated as priority remediation targets.
No verified public exploit code is available for CVE-2026-34651 at this time. See the Adobe Security Bulletin for the authoritative description.
Detection Methods for CVE-2026-34651
Indicators of Compromise
- Sustained CPU or memory pressure on Adobe Commerce application or PHP-FPM workers without a corresponding traffic spike from known sources.
- Elevated request volume to a narrow set of Commerce endpoints from a small number of source IP addresses or autonomous systems.
- Increased 5xx response rates, request queue depth, and database connection saturation correlated with worker exhaustion.
Detection Strategies
- Baseline normal request rates per endpoint and alert when a single endpoint exceeds historical thresholds.
- Inspect web server and application logs for repeated requests with anomalous payload sizes or parameter patterns.
- Correlate WAF telemetry with backend resource utilization to identify low-volume but high-cost request patterns.
Monitoring Recommendations
- Monitor PHP, Nginx or Apache, MySQL, and Redis resource usage in real time and forward metrics to the SIEM.
- Track 95th and 99th percentile response latency on storefront and checkout endpoints to detect early degradation.
- Enable WAF rate-limiting telemetry and alert on bursts targeting Commerce REST and GraphQL routes.
How to Mitigate CVE-2026-34651
Immediate Actions Required
- Apply the security updates published in Adobe Security Bulletin APSB26-49 to all affected Commerce installations.
- Inventory all Adobe Commerce instances, including staging and development, and confirm patch status against the fixed versions.
- Place a WAF or reverse proxy in front of internet-facing storefronts and enable rate limiting on dynamic endpoints.
Patch Information
Adobe released fixed builds for the affected 2.4.x branches as documented in advisory APSB26-49. Upgrade to the patched release that corresponds to your branch: 2.4.8, 2.4.7, 2.4.6, 2.4.5, or 2.4.4. Validate the upgrade in a non-production environment, then deploy to production following standard Commerce upgrade procedures. Confirm version remediation via bin/magento --version after deployment.
Workarounds
- Enforce request rate limits and connection caps on the web tier for storefront, GraphQL, and REST endpoints until patching completes.
- Restrict access to non-essential Commerce endpoints at the network edge and require allowlisting for admin paths.
- Configure PHP-FPM worker limits, request timeouts, and memory ceilings to constrain the blast radius of resource exhaustion attempts.
# Example Nginx rate limit for Adobe Commerce storefront
limit_req_zone $binary_remote_addr zone=commerce_rl:10m rate=20r/s;
server {
location / {
limit_req zone=commerce_rl burst=40 nodelay;
proxy_pass http://commerce_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
