Access Control Flaw in Magento Long Term Support Affecting Shared Wishlists
CVE-2026-40098

5.3MEDIUM

Key Information:

Vendor: Openmage
Status: Magento-lts
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-40098?

The Magento Long Term Support (LTS) project, serving as a community-driven alternative to the Magento Community Edition, has an access control vulnerability in its shared wishlist feature. Before version 20.17.0, the add-to-cart endpoint authorizes access solely based on a public sharing_code, allowing an attacker to exploit mismatched wishlist item IDs. This flows through the shared wishlist, enabling the exploitation of another user's private items. As a result, victims might unknowingly expose their custom option data, leading to potential cross-user file disclosure, particularly when file custom options are involved. Version 20.17.0 addresses this issue, reinforcing the product's security against unauthorized access.

Affected Version(s)

magento-lts < 20.17.0

References

https://github.com/OpenMage/magento-lts/security/advisori...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40098 Data

JSON

Openmage

What is CVE-2026-40098?

Affected Version(s)

References

CVSS V4

Timeline