CVE-2026-42155 Overview
CVE-2026-42155 is a cryptographic weakness in OpenMage Magento Long Term Support (LTS), an unofficial community-driven fork of the Magento Community Edition e-commerce platform. The XML-RPC and SOAP API session ID generator relies on a time-based MD5 construction instead of a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). All inputs to the hash derive from timestamps and PHP internal Linear Congruential Generator (LCG) state. Attackers can predict the LCG window, generate candidate hashes, and brute-force active API sessions because the API lacks rate limiting. The flaw is fixed in version 20.18.0 and is tracked under [CWE-330].
Critical Impact
Predictable session IDs allow unauthenticated attackers to hijack active XML-RPC/SOAP API sessions over the network and access administrative e-commerce functions.
Affected Products
- OpenMage Magento LTS versions prior to 20.18.0
- Magento LTS XML-RPC API endpoints
- Magento LTS SOAP API endpoints
Discovery Timeline
- 2026-05-15 - CVE-2026-42155 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-42155
Vulnerability Analysis
The vulnerability resides in the API session identifier generation logic for XML-RPC and SOAP endpoints in Magento LTS. The session ID derives from an MD5 digest of values tied entirely to the current timestamp and PHP's internal LCG state. Both inputs are non-secret and partially observable through server behavior, response headers, or timing analysis.
This design violates OWASP ASVS v4 V3.2.2, which mandates at least 64 bits of entropy for session tokens, and conflicts with NIST SP 800-63B guidance on session secret generation. The effective entropy collapses far below this threshold once an attacker narrows the timestamp window.
Root Cause
The root cause is insecure random number generation [CWE-330]. The implementation uses MD5 over time-derived seeds rather than a CSPRNG such as random_bytes(). Attackers who observe server state leaks can constrain the LCG window and enumerate candidate session IDs offline.
Attack Vector
A remote unauthenticated attacker first narrows the LCG state by leveraging predictability signals from the server. The attacker then generates a localized pool of candidate MD5 digests representing valid session IDs within that window. Because the API enforces no rate limiting, the attacker submits these candidates at high speed against live XML-RPC/SOAP endpoints until an active session is hijacked. The attacker inherits the privileges of the hijacked API session, including merchant or administrator functions.
For implementation specifics, see the OpenMage GitHub Security Advisory GHSA-2cwr-gcf9-pvxr.
Detection Methods for CVE-2026-42155
Indicators of Compromise
- High-volume requests to /api/xmlrpc or /api/soap endpoints from a single source IP within short time windows
- Repeated authentication or session validation failures followed by a successful API call from the same client
- Unexpected API session reuse where the originating IP, user agent, or geolocation differs from the session creator
- API calls invoking privileged methods such as catalog_product.create or customer.list from previously unseen clients
Detection Strategies
- Inspect web server access logs for bursts of POST requests to XML-RPC and SOAP endpoints with varying session IDs
- Correlate API session identifiers against the IP and client fingerprint that initially called login
- Alert on session IDs whose entropy distribution deviates from random, indicating brute-force enumeration
- Monitor for repeated SOAP login calls from one client followed by rapid privileged calls from another
Monitoring Recommendations
- Ingest Magento application and web server logs into a centralized log platform for behavioral analytics
- Track per-endpoint request rates and apply anomaly detection on /api/xmlrpc and /api/soap
- Enable PHP error and audit logging to capture API authentication anomalies
- Forward identification events to a SIEM for correlation with network egress and admin panel activity
How to Mitigate CVE-2026-42155
Immediate Actions Required
- Upgrade OpenMage Magento LTS to version 20.18.0 or later, which replaces the weak session ID generator
- Invalidate all existing XML-RPC and SOAP API sessions after upgrading to revoke any tokens generated under the vulnerable scheme
- Rotate API user credentials for accounts that authenticate against XML-RPC or SOAP endpoints
- Restrict network exposure of the API endpoints to trusted IP ranges where feasible
Patch Information
The maintainers fixed the vulnerability in OpenMage Magento LTS 20.18.0 by replacing the time-based MD5 session ID construction with a CSPRNG-based generator. Refer to the OpenMage Magento LTS Security Advisory for the patch commit and release notes.
Workarounds
- Disable XML-RPC and SOAP API access entirely if the deployment does not require legacy API integrations
- Place the API endpoints behind a reverse proxy or Web Application Firewall (WAF) that enforces strict rate limiting on /api/xmlrpc and /api/soap
- Restrict API user roles to the minimum permissions required to limit the blast radius of a hijacked session
- Add IP allowlisting at the network or web server layer for known API consumers
# Example Nginx rate limit configuration for Magento LTS API endpoints
limit_req_zone $binary_remote_addr zone=magento_api:10m rate=5r/s;
location ~ ^/api/(xmlrpc|soap) {
limit_req zone=magento_api burst=10 nodelay;
allow 10.0.0.0/8;
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

