XML-RPC/SOAP API Vulnerability in OpenMage Magento Long Term Support
CVE-2026-42155

9.3CRITICAL

Key Information:

Vendor: Openmage
Status: Magento-lts
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-42155?

The XML-RPC/SOAP API in OpenMage Magento Long Term Support permits session ID generation through an outdated time-based method instead of utilizing a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). This method's reliance on time-derived inputs leads to inadequate entropy, making it susceptible to brute-force attacks. An attacker can exploit this weakness to hijack active API sessions by leveraging predictable session IDs and the absence of API rate-limiting. The vulnerability has been addressed in version 20.18.0.

Affected Version(s)

magento-lts < 20.18.0

References

https://github.com/OpenMage/magento-lts/security/advisori...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 24, 2026

CVE-2026-42155 Data

JSON

Openmage

What is CVE-2026-42155?

Affected Version(s)

References

CVSS V4

Timeline