An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.

Affected Packages

Packagist magento/community-edition

Affected versions: 2.1.0 (fixed in 2.1.18)

Packagist magento/community-edition

Affected versions: 2.2.0 (fixed in 2.2.9)

Packagist magento/community-edition

Affected versions: 2.3.0 (fixed in 2.3.2)

Related CVEs

CVE-2019-7950

Key Information

GHSA ID

GHSA-2fhr-f6q6-c4p2

Published

May 24, 2022 4:52 PM

Last Modified

September 25, 2023 7:27 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.