PatchSiren cyber security CVE debrief
CVE-2026-42155 OpenMage CVE debrief
CVE-2026-42155 affects Magento Long Term Support (LTS) versions prior to 20.18.0. The XML-RPC/SOAP API session ID generation used an outdated, time-based MD5 construction rather than a cryptographically secure random source. Per the supplied description, the inputs were time-derived and non-secure, leaving the effective entropy severely constrained and enabling a localized brute-force attack against active API sessions when an attacker can narrow the search window and exploit the lack of API rate-limiting. The CVE was published on 2026-05-15 and last modified on 2026-05-18. In the supplied NVD source metadata, the record is marked Deferred.
- Vendor
- OpenMage
- Product
- magento-lts
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Operators of Magento LTS / OpenMage deployments; teams exposing XML-RPC or SOAP APIs; security engineers responsible for session management, authentication, and API rate limiting; incident responders investigating suspicious session reuse or account takeover indicators.
Technical summary
The issue is a session-ID predictability flaw in the XML-RPC/SOAP API path. Instead of using a CSPRNG, the affected code generated session identifiers from time-derived inputs combined with MD5, which can leave the output space small enough to brute force if an attacker can estimate or constrain the underlying state. The supplied CVE description says this can be used to hijack active API sessions. The NVD metadata maps the issue to CWE-330, CWE-331, and CWE-338.
Defensive priority
Urgent. This is a network-reachable, unauthenticated attack surface with CVSS 9.3 Critical severity and a direct path to API session compromise if the vulnerable version is exposed.
Recommended defensive actions
- Upgrade Magento LTS to 20.18.0 or later, which the supplied description identifies as the fix.
- Revoke or rotate active XML-RPC/SOAP API sessions after remediation.
- Add or tighten rate limiting and abuse detection on XML-RPC and SOAP endpoints.
- Review logs for unusual session creation, repeated API authentication attempts, or suspicious session reuse.
- If you maintain the codebase, ensure session identifiers are generated with a cryptographically secure random number generator.
- Validate that exposed API endpoints are only reachable by trusted clients where possible.
Evidence notes
Primary evidence comes from the supplied CVE description and NVD metadata. The description states that the flaw is in Magento LTS prior to 20.18.0, that session IDs were generated with a time-based MD5 construction, and that the issue is fixed in 20.18.0. The NVD record provides CVSS 4.0 vector data and lists CWE-330, CWE-331, and CWE-338. The supplied NVD source item marks the CVE as Deferred. No full advisory body text was provided in the corpus beyond the GitHub Security Advisory reference URL.
Official resources
-
CVE-2026-42155 CVE record
CVE.org
-
CVE-2026-42155 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed in the CVE record on 2026-05-15 and updated on 2026-05-18. The supplied NVD source metadata marks the record Deferred, while the GitHub Security Advisory reference is GHSA-2cwr-gcf9-pvxr.