PatchSiren cyber security CVE debrief
CVE-2026-34652 Adobe CVE debrief
CVE-2026-34652 is a high-severity availability issue in Adobe Commerce that can let a remote attacker crash the application without any user interaction. NVD rates it 7.5 (HIGH) and maps it to a network-reachable, no-authentication attack surface with complete availability impact. Adobe’s advisory is referenced by NVD for mitigation guidance.
- Vendor
- Adobe
- Product
- Adobe Commerce
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-20
Who should care
Adobe Commerce administrators, e-commerce platform operators, security teams responsible for Adobe Commerce and Commerce B2B deployments, and incident responders monitoring application availability and crash events.
Technical summary
NVD describes this as a dependency on a vulnerable third-party component that can result in application denial-of-service. The issue is network exploitable (AV:N), requires no privileges or user interaction (PR:N/UI:N), and affects availability only (C:N/I:N/A:H). Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are listed as affected in the provided source corpus; NVD also includes related Commerce and Commerce B2B CPE criteria.
Defensive priority
High. This is a remotely reachable, no-user-interaction denial-of-service condition with a CVSS 3.1 score of 7.5. Prioritize remediation on internet-facing or business-critical storefronts first, especially environments where application downtime would directly affect revenue or order processing.
Recommended defensive actions
- Review Adobe’s security advisory referenced by NVD for the vendor’s remediation guidance.
- Patch or upgrade Adobe Commerce / Commerce B2B to a version not listed as affected in the advisory and validate the change in a staging environment first.
- Inventory exposed Commerce instances and confirm whether any match the affected versions in the NVD record.
- Monitor application logs and platform health for unexpected crashes, restarts, or sustained availability degradation.
- If immediate patching is delayed, apply compensating controls that reduce exposure to untrusted network traffic and increase availability monitoring, while treating this as a priority maintenance item.
Evidence notes
Primary evidence is the official NVD record for CVE-2026-34652 (published 2026-05-12, modified 2026-05-20) and its reference to the Adobe PSIRT advisory URL. NVD classifies the issue as vuln status Analyzed and assigns CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The source corpus states that exploitation can crash the application and does not require user interaction. KEV enrichment is absent in the supplied data.
Official resources
-
CVE-2026-34652 CVE record
CVE.org
-
CVE-2026-34652 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the supplied corpus on 2026-05-12 and last modified on 2026-05-20. No KEV listing is present in the provided data.