CVE-2024-39398: Magento does not properly restrict excessive authentication attempts

August 14, 2024 (updated November 6, 2025)

Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to accounts. Exploitation of this issue does not require user interaction, but attack complexity is high.

References

github.com/advisories/GHSA-q628-54wg-4r5q
github.com/magento/magento2
helpx.adobe.com/security/products/magento/apsb24-61.html
nvd.nist.gov/vuln/detail/CVE-2024-39398

Code Behaviors & Features

Detect and mitigate CVE-2024-39398 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →