CVE-2026-34651 Adobe CVE debrief

Who should care

Organizations running Adobe Commerce or Adobe Commerce B2B, especially teams responsible for internet-facing storefronts, uptime, and patch management. Administrators, incident responders, and hosting providers should prioritize review because the flaw is remotely reachable and affects availability.

Technical summary

The NVD record lists CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting a network-accessible, low-complexity issue with no privileges or user interaction required and high availability impact. Adobe and NVD map the weakness to CWE-400. The affected scope includes Adobe Commerce versions up through 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, and earlier, plus Commerce B2B releases covered by the vendor/NVD CPE ranges.

Defensive priority

High. The vulnerability is remotely exploitable, requires no user interaction, and can cause application denial-of-service in commerce platforms where uptime directly affects business operations.

Recommended defensive actions

• Review Adobe PSIRT advisory APSB26-49 for the vendor’s fixed release guidance.
• Prioritize patching Adobe Commerce and Commerce B2B instances that match the affected versions in the advisory and NVD record.
• Inventory exposed Commerce deployments and confirm whether any production or staging systems fall within the affected version ranges.
• Monitor for abnormal resource usage and application instability while remediation is being scheduled.

Evidence notes

This debrief is based only on the supplied NVD record and Adobe vendor advisory reference. NVD identifies the issue as analyzed, with an official Adobe reference (APSB26-49), CVSS 7.5 High, and CWE-400. The provided CPE criteria show affected Adobe Commerce and Commerce B2B versions, including Commerce 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, and 2.4.4-p17 and earlier. Published and modified timestamps are taken from the supplied CVE/timeline fields.

Official resources