Adobe Commerce Path Traversal (CVE-2026-34653) Allows File System Read/Write

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitypath-traversalcwe-22
Adobe Commerce Path Traversal (CVE-2026-34653) Allows File System Read/Write

The National Vulnerability Database has disclosed CVE-2026-34653, a critical path traversal vulnerability impacting multiple versions of Adobe Commerce. This flaw, rated 8.7 CVSS, allows an authenticated attacker with administrative privileges to read and write arbitrary files outside of the restricted directory. No user interaction is required for exploitation.

This isn’t a simple config bypass. An attacker gaining administrative access to an Adobe Commerce instance can leverage this to achieve persistent access, inject web shells, or exfiltrate sensitive data directly from the underlying file system. The scope change to ‘C’ (Changed) indicates a significant impact beyond the immediate component.

While the prerequisite of administrative access might seem high, the reality is that admin credentials for e-commerce platforms are prime targets. Phishing, credential stuffing, or supply chain compromises could easily provide an attacker with the necessary initial foothold, turning this path traversal into a devastating post-exploitation capability.

What This Means For You

  • If your organization uses Adobe Commerce, immediately identify all instances running versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17, or earlier. Prioritize patching to mitigate CVE-2026-34653. Review administrative user logs for any suspicious activity, as this vulnerability requires an authenticated admin account.

Related ATT&CK Techniques

T1083 File and Directory Discovery Discovery T1566.002 Phishing: Spearphishing Attachment Initial Access T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Adobe Commerce Path Traversal File Write - CVE-2026-34653

Sigma YAML — free preview 
title: Adobe Commerce Path Traversal File Write - CVE-2026-34653
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-34653 by looking for specific URI patterns indicative of the file upload endpoint combined with path traversal characters in the query string and a successful HTTP status code. This allows an authenticated attacker to write files to arbitrary locations on the file system.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-34653/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/index.php/admin/adminhtml_fileuploader/upload/'
      cs-uri-query|contains:
          - '../'
      sc-status:
          - 200
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-34653 Path Traversal Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier
CVE-2026-34653 Path Traversal Arbitrary file system read and write
CVE-2026-34653 Path Traversal Authenticated attacker with administrative privileges

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

HashiCorp Nomad Code Execution (CVE-2026-7474) via Path Traversal

CVE-2026-7474 — HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This...

vulnerabilityCVEhigh-severitycode-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-44225: Pulpy Packager Allows Arbitrary File Access

CVE-2026-44225 — Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged...

vulnerabilityCVEcriticalhigh-severityarbitrary-file-accesscwe-22cwe-284
/SCW Vulnerability Desk /CRITICAL /9.3 /⚑ 3 IOCs /⚙ 3 Sigma

ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases

CVE-2026-44221 — ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate...

vulnerabilityCVEcriticalhigh-severitycwe-863
/SCW Vulnerability Desk /CRITICAL /9 /⚑ 5 IOCs /⚙ 3 Sigma