Adobe Commerce DoS Vulnerability (CVE-2026-34649) Puts E-commerce at Risk
The National Vulnerability Database has disclosed CVE-2026-34649, an Uncontrolled Resource Consumption vulnerability impacting various Adobe Commerce versions. This flaw, rated with a CVSS score of 7.5 (HIGH), enables an attacker to exhaust system resources without requiring user interaction, leading directly to a denial-of-service condition for the application.
This is a critical issue for any organization running Adobe Commerce. A successful exploit means your e-commerce platform could be taken offline, impacting sales and reputation. The lack of user interaction required for exploitation lowers the barrier for attackers, making it a prime target for opportunistic or targeted disruption. Defenders must recognize that the attacker’s calculus here is straightforward: maximum impact with minimal effort.
While the National Vulnerability Database did not specify affected products beyond Adobe Commerce, the broad range of vulnerable versions — including 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, and earlier — indicates a widespread potential impact. CISOs need to prioritize patching and ensure their incident response plans account for potential DoS scenarios stemming from this vulnerability.
What This Means For You
- If your organization uses Adobe Commerce, you must immediately identify all instances running versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, or earlier. Prioritize patching to a secure version to mitigate the risk of application denial-of-service. Review your web application firewall (WAF) rules and DoS protection mechanisms to ensure they can detect and block attempts to exploit CWE-400.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Adobe Commerce Uncontrolled Resource Consumption - CVE-2026-34649
title: Adobe Commerce Uncontrolled Resource Consumption - CVE-2026-34649
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-34649 by targeting the '/rest/V1/carts/mine/collect-totals' endpoint with a POST request, which is known to trigger an uncontrolled resource consumption vulnerability leading to denial-of-service in affected Adobe Commerce versions.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-34649/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/rest/V1/carts/mine/collect-totals'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34649 | DoS | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier |
| CVE-2026-34649 | DoS | Uncontrolled Resource Consumption vulnerability |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Wing FTP Server RCE (CVE-2026-44403) Allows Admin Lua Injection
CVE-2026-44403 — Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary...
CVE-2026-44246: nnU-Net Agentic Workflow Injection Puts GitHub Workflows at Risk
CVE-2026-44246 — nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in...
CVE-2026-44240: basic-ftp Client-Side DoS Poses Risk to Node.js Applications
CVE-2026-44240 — basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline...