CVE-2026-34654 Overview
CVE-2026-34654 affects Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, and earlier. The flaw stems from a dependency on a vulnerable third-party component and can be triggered remotely without authentication or user interaction. Successful exploitation causes the application to crash, producing a denial-of-service (DoS) condition that disrupts storefront and administrative availability.
Critical Impact
Unauthenticated network-based attackers can crash Adobe Commerce instances, taking e-commerce storefronts offline and interrupting revenue-generating transactions.
Affected Products
- Adobe Commerce 2.4.9-beta1
- Adobe Commerce 2.4.8-p4, 2.4.7-p9, 2.4.6-p14
- Adobe Commerce 2.4.5-p16, 2.4.4-p17, and earlier
Discovery Timeline
- 2026-05-12 - CVE-2026-34654 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-34654
Vulnerability Analysis
CVE-2026-34654 is a denial-of-service issue rooted in a vulnerable third-party component bundled with Adobe Commerce. The attacker reaches the vulnerable code path over the network through standard HTTP(S) request handling exposed by the Commerce application. Because the flaw exists in an upstream dependency, the issue applies broadly across Commerce deployments using the affected branch versions.
The vulnerability impacts availability only. Confidentiality and integrity of customer data, orders, and configuration are not directly affected. However, an outage of a public-facing storefront translates to lost transactions and degraded customer trust during the disruption window.
EPSS data lists a probability of 0.072% at the 21.851 percentile, indicating low near-term exploitation likelihood at publication time. No public proof-of-concept, exploit, or in-the-wild activity has been reported, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is Adobe Commerce's reliance on a third-party library that fails to handle a specific input or condition safely, causing the application process to terminate. Adobe's advisory categorizes the weakness as a Dependency on Vulnerable Third-Party Component issue rather than a flaw in Commerce's own application logic.
Attack Vector
The attack vector is network-based with low complexity. The attacker sends a crafted request to a reachable Commerce endpoint. No credentials, privileges, or user interaction are required. The crafted input triggers the upstream component's defect, causing the process to crash and rendering the storefront unavailable until the service is restarted.
No verified exploit code is publicly available. Refer to the Adobe Magento Security Advisory APSB26-49 for technical details and fixed component versions.
Detection Methods for CVE-2026-34654
Indicators of Compromise
- Unexpected PHP-FPM, Nginx, or Apache worker crashes and automatic restarts correlated with bursts of inbound HTTP requests.
- Spikes in HTTP 5xx responses from Commerce storefront or admin endpoints originating from a limited set of source IP addresses.
- Repeated identical or malformed request payloads targeting endpoints handled by the vulnerable third-party component.
Detection Strategies
- Inventory installed Adobe Commerce versions using bin/magento --version and composer show to identify hosts running affected releases.
- Compare loaded dependency versions against the fixed versions listed in the Adobe advisory.
- Correlate web server access logs with application crash events to identify exploitation attempts targeting the vulnerable component.
Monitoring Recommendations
- Configure web application firewall (WAF) telemetry to alert on anomalous request rates and malformed payloads to Commerce endpoints.
- Monitor process supervisor logs (systemd, supervisord) for repeated crash-restart loops of PHP workers.
- Track service availability with synthetic transaction monitoring to detect intermittent outages caused by exploitation.
How to Mitigate CVE-2026-34654
Immediate Actions Required
- Identify all Adobe Commerce instances running the affected versions and prioritize patching of internet-facing systems.
- Apply the security update referenced in the Adobe advisory APSB26-49 to remediate the vulnerable third-party dependency.
- Restrict administrative endpoints to trusted IP ranges where business requirements permit.
Patch Information
Adobe published fixed releases addressing CVE-2026-34654 in the Adobe Magento Security Advisory APSB26-49. Administrators should upgrade to the fixed Commerce version on each affected branch and validate that the updated third-party component is loaded after deployment.
Workarounds
- Deploy WAF rules to rate-limit and inspect requests reaching Commerce endpoints until patches are applied.
- Enable automatic process restart policies in the service manager so crashed workers recover quickly during exploitation attempts.
- Place affected stores behind a CDN or reverse proxy capable of filtering malformed requests targeting the vulnerable component.
# Verify installed Adobe Commerce version and dependencies
bin/magento --version
composer show | grep -Ei 'magento|adobe-commerce'
# Apply the vendor-supplied patch and clear caches
composer update
bin/magento setup:upgrade
bin/magento cache:flush
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
