CVE-2025-54267

MEDIUM6.5EPSS 0.07%

Magento vulnerable to privilege escalation due to incorrect authorization

Published: 10/14/2025Modified: 10/22/2025

Description

Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitation of this issue does not require user interaction.

Affected packages (2)

Packagist/magento/community-edition>= 2.4.9-alpha1, < 2.4.9-alpha3
Packagist/magento/project-community-editionfrom 0, <= 2.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54267
PATCHhttps://github.com/magento/magento2
WEBhttps://helpx.adobe.com/security/products/magento/apsb25-94.html