Skip to content
Threat Feed
medium advisory

CVE-2026-34649: Adobe Commerce Uncontrolled Resource Consumption Vulnerability

Adobe Commerce versions 2.4.9-beta1 and earlier are susceptible to an uncontrolled resource consumption vulnerability (CVE-2026-34649), allowing an unauthenticated attacker to trigger a denial-of-service condition by exhausting system resources.

Adobe Commerce versions prior to 2.4.9-beta1, including 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, and 2.4.4-p17, contain an uncontrolled resource consumption vulnerability, identified as CVE-2026-34649. This flaw allows a remote, unauthenticated attacker to exhaust server resources, leading to a denial-of-service (DoS) condition, impacting application availability. The vulnerability does not require any user interaction to trigger, making it easily exploitable. Successful exploitation results in the Adobe Commerce application becoming unresponsive or unavailable to legitimate users due to resource exhaustion.

Attack Chain

  1. An unauthenticated attacker identifies an accessible endpoint within the Adobe Commerce application.
  2. The attacker crafts a malicious request to the identified endpoint.
  3. This request is designed to consume excessive server resources such as CPU, memory, or disk I/O.
  4. The application processes the malicious request, inadvertently allocating resources without proper limits.
  5. The attacker sends a high volume of these malicious requests, amplifying the resource consumption.
  6. Server resources are gradually exhausted, impacting the application’s performance.
  7. Legitimate user requests are delayed or fail due to resource contention.
  8. The Adobe Commerce application becomes unresponsive, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-34649 results in a denial-of-service condition, rendering the Adobe Commerce application unavailable to legitimate users. This can lead to significant business disruption, impacting sales, customer service, and overall revenue. The vulnerability is remotely exploitable without user interaction, increasing the risk of widespread attacks. The severity is rated as HIGH with a CVSS score of 7.5.

Recommendation

  • Upgrade to the latest version of Adobe Commerce that addresses CVE-2026-34649.
  • Implement rate limiting on API endpoints to mitigate potential resource exhaustion attacks.
  • Deploy the Sigma rule “Detect CVE-2026-34649 Exploitation Attempt” to identify malicious requests targeting the vulnerability.

Detection coverage 2

Detect CVE-2026-34649 Exploitation Attempt

high

Detects CVE-2026-34649 exploitation attempts by monitoring for suspicious HTTP requests known to cause excessive resource consumption.

sigma tactics: availability techniques: T1499.001 sources: webserver

Detect High Volume of Requests to Specific Endpoints

medium

Detects potential DoS attacks by monitoring for a high volume of requests to specific endpoints known to be vulnerable.

sigma tactics: availability techniques: T1499.001 sources: webserver

Detection queries are available on the platform. Get full rules →