CVE-2025-49556: Magento has incorrect authorization issue that leads to arbitrary file system read

August 12, 2025 (updated October 21, 2025)

Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.

References

github.com/advisories/GHSA-7hrj-3c9x-xv5h
github.com/magento/magento2
helpx.adobe.com/security/products/magento/apsb25-71.html
nvd.nist.gov/vuln/detail/CVE-2025-49556

Code Behaviors & Features

Detect and mitigate CVE-2025-49556 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →