No items found.

March 26, 2026

Minutes Read

PolyShell - Critical File Upload Vulnerability in Magento & Adobe Commerce

Advisory

Security Advisory

March 26, 2026

Minutes Read

PolyShell - Critical File Upload Vulnerability in Magento & Adobe Commerce

Advisory

Security Advisory

March 26, 2026

Minutes Read

Kudelski Security Team

Find out more

table of contents

Share on

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Summary

PolyShell is a critical vulnerability affecting Magento Open Source 2 and Adobe Commerce platforms. It targets the REST API responsible for file uploads in custom product options within the shopping cart. The vulnerability is actively exploited in the wild, with attacks beginning shortly after public disclosure. Successful exploitation may result in:

Remote Code Execution (RCE)
Stored Cross-Site Scripting (XSS)
Account takeover
Deployment of payment card skimmers

Due to the nature of e-commerce systems handling sensitive customer and payment data, this vulnerability presents a high to critical risk to affected organizations.

Affected Systems and/or Applications

The PolyShell vulnerability affects Magento Open Source 2 and Adobe Commerce instances that have not yet applied the official patch addressing unrestricted file uploads in custom product options via the REST API.

Specifically affected systems include:

Magento Open Source 2.x and Adobe Commerce 2.x stable production releases prior to 2.4.9‑beta1 (released March 10, 2026), which contain the only known fix for PolyShell.
Any environment exposing the REST API for file uploads in custom product options, regardless of minor version, if the official patch or equivalent mitigation has not been applied.

Key considerations:

Most production deployments of Magento 2 and Adobe Commerce 2 remain vulnerable because the vendor patch is currently only available in a pre-release/beta channel.
Instances that do not restrict or validate uploaded files via REST API endpoints are at higher risk.
Operators should assume all 2.x versions prior to 2.4.9‑beta1 are affected unless explicit compensating controls or hardening have been implemented.

Technical Details

The vulnerability originates from improper handling of file uploads via the Magento REST API in the context of custom product options. Attackers can exploit this by uploading polyglot files—files crafted to be interpreted differently by various components (e.g., application logic, web server, validation layers). If validation mechanisms are insufficient, this can lead to:

Remote Code Execution (RCE): Malicious payloads executed on the server
Stored XSS: Injection of persistent scripts executed in users’ browsers
Session Hijacking: Through exploitation of XSS
Malicious Script Injection: Including payment skimmers

Observed attack techniques include:

WebRTC-based exfiltration, enabling encrypted data transfer that bypasses traditional HTTP monitoring
Delayed payload execution and dynamic loading techniques to evade detection
Deployment of web skimmers targeting payment card data during checkout

These techniques reduce visibility for traditional security monitoring tools and increase attacker dwell time.

Mitigation

Organizations should treat this vulnerability as a priority and implement both remediation and detection measures immediately:

1. Patch and Version Control

Identify all Magento and Adobe Commerce instances
Apply official vendor patches without delay
Available Mitigation: Adobe released a fix for PolyShell in version 2.4.9-beta1 on March 10, 2026. The patch has not yet reached production versions.

2. Restrict Attack Surface

Temporarily disable or restrict file upload functionality via REST API if not business-critical
Restrict access to the pub/media/custom_options/ directory
Limit exposure of API endpoints to trusted sources only