Skip to content
Threat Feed
medium advisory

CVE-2026-34651 - Adobe Commerce Uncontrolled Resource Consumption Vulnerability

Adobe Commerce versions 2.4.9-beta1 and earlier are vulnerable to uncontrolled resource consumption, potentially leading to application denial-of-service due to an attacker's ability to exhaust system resources without user interaction.

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, and 2.4.4-p17 and earlier are susceptible to an uncontrolled resource consumption vulnerability. This flaw allows a remote, unauthenticated attacker to exhaust system resources, leading to a denial-of-service (DoS) condition. The vulnerability stems from inadequate limitations on resource allocation, enabling attackers to consume excessive memory, CPU, or disk I/O. Successful exploitation results in the application becoming unresponsive or crashing, impacting legitimate users. Defenders should prioritize patching vulnerable instances.

Attack Chain

  1. An unauthenticated attacker identifies a publicly accessible endpoint within the Adobe Commerce application.
  2. The attacker crafts a malicious request designed to trigger excessive resource consumption on the server.
  3. This request is sent to the targeted endpoint, bypassing any authentication or authorization checks.
  4. Upon receiving the request, the Adobe Commerce application processes the data without proper resource limits.
  5. The application begins allocating excessive resources, such as memory or CPU time, in response to the malicious request.
  6. The attacker repeats the process by sending multiple malicious requests.
  7. System resources become significantly depleted, leading to a degradation of performance for legitimate users.
  8. The Adobe Commerce application becomes unresponsive or crashes, resulting in a denial-of-service condition.

Impact

Successful exploitation of this vulnerability can lead to a complete denial of service, rendering the Adobe Commerce application unavailable to users. This can result in significant financial losses due to the inability to process transactions, reputational damage, and potential loss of customer trust. Given the widespread use of Adobe Commerce, a large number of e-commerce businesses are potentially at risk.

Recommendation

  • Upgrade Adobe Commerce to a patched version (later than 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17) to remediate the uncontrolled resource consumption vulnerability as described in CVE-2026-34651.
  • Implement rate limiting on critical API endpoints to mitigate the impact of resource exhaustion attacks.
  • Monitor system resource utilization (CPU, memory, disk I/O) on Adobe Commerce servers to detect anomalous behavior indicative of a denial-of-service attack.
  • Deploy the Sigma rule provided to detect suspicious POST requests potentially exploiting CVE-2026-34651.

Detection coverage 2

Detect CVE-2026-34651 Exploitation Attempt - High Resource Consumption Request

medium

Detects potential exploitation attempts of CVE-2026-34651 based on suspicious HTTP POST requests to Adobe Commerce endpoints.

sigma tactics: resource_development techniques: T1588 sources: webserver

Detect CVE-2026-34651 Exploitation Attempt - Large Payload

medium

Detects potential exploitation attempts of CVE-2026-34651 based on large HTTP POST requests to Adobe Commerce endpoints.

sigma tactics: resource_development techniques: T1588 sources: webserver

Detection queries are available on the platform. Get full rules →