Server-Side Request Forgery Vulnerability in Adobe Commerce Products
CVE-2026-21294

5.5MEDIUM

Key Information:

Vendor: Adobe
Status: Adobe Commerce
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-21294?

Adobe Commerce is exposed to a Server-Side Request Forgery (SSRF) vulnerability, enabling attackers with high privileges to manipulate server-side requests. This flaw allows potential bypassing of security features without requiring any user interaction. The affected versions include Adobe Commerce 2.4.9-alpha3 and earlier. It is crucial for administrators to patch and secure their systems to prevent exploitation of this weakness.

Affected Version(s)

Adobe Commerce 0 <= 2.4.4-p16

References

https://helpx.adobe.com/security/products/magento/apsb26-...

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Dec 12, 2025

CVE-2026-21294 Data

JSON