PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34650 Adobe CVE debrief

CVE-2026-34650 is a high-severity availability issue in Adobe Commerce. According to the CVE description and NVD analysis, an attacker can trigger uncontrolled resource consumption and exhaust system resources, causing application denial of service without user interaction. Adobe and NVD map the issue to affected Adobe Commerce releases and related CPE entries, with the vulnerability classified as CWE-400 and scored CVSS 3.1 7.5 (HIGH).

Vendor
Adobe
Product
Commerce
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-20
Advisory published
2026-05-12
Advisory updated
2026-05-20

Who should care

Administrators and security teams responsible for Adobe Commerce deployments should prioritize this issue, especially where storefronts are internet-facing. Teams managing adjacent Adobe Commerce B2B or Magento/Open Source environments should also review the NVD CPE mappings in the supplied record to confirm exposure.

Technical summary

The supplied record describes a network-reachable, unauthenticated uncontrolled resource consumption weakness that affects Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier. NVD classifies the issue as CWE-400 and assigns CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating no confidentiality or integrity impact but a high availability impact. The NVD metadata also includes Adobe Commerce B2B and Magento/Open Source CPE entries as vulnerable within the supplied criteria.

Defensive priority

High. This is an unauthenticated, network-exploitable denial-of-service condition with high availability impact. Patch planning should be expedited for any exposed Adobe Commerce instance, and exposure should be confirmed across all mapped product lines in the NVD data.

Recommended defensive actions

  • Review Adobe Security Bulletin APSB26-49 and apply the vendor-provided update for your affected release line.
  • Inventory Adobe Commerce, Adobe Commerce B2B, and related Magento/Open Source deployments to confirm whether any match the affected versions listed in the record.
  • Prioritize internet-facing systems first and monitor for abnormal resource utilization or sustained service degradation.
  • If immediate patching is not possible, use temporary compensating controls such as request throttling and capacity monitoring around exposed endpoints until remediation is completed.

Evidence notes

The CVE description states that Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an uncontrolled resource consumption vulnerability that can lead to application denial of service and does not require user interaction. NVD marks the vulnerability as analyzed, assigns CWE-400, and records CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied NVD metadata references Adobe PSIRT advisory APSB26-49 as the vendor advisory. The supplied enrichment does not list the issue in CISA KEV.

Official resources

Publicly disclosed on 2026-05-12T20:16:36.033Z and modified on 2026-05-20T17:13:27.387Z. The supplied enrichment does not identify this issue as a CISA KEV entry.