Magento “PolyShell” flaw lets attackers upload files without logging in, raising RCE and takeover risks

Home » News

Yash

News

6 min. read

Published on March 21, 2026

A newly disclosed Magento flaw called PolyShell can let unauthenticated attackers upload files through the platform’s REST API, creating a serious risk for Adobe Commerce and Magento Open Source stores. Security firm Sansec says the bug affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2, while Adobe’s March bulletin shows fixes shipping in later supported builds such as 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, and 2.4.4-p17.

The risk is not the same on every store. Sansec says the flaw always allows unrestricted uploads, but the final impact depends on web server configuration. On some deployments, the bug can lead to remote code execution through uploaded PHP files. On others, it can enable stored cross-site scripting that may lead to account takeover.

Sansec says it has not seen PolyShell exploited in the wild so far. Still, the company warns that the exploit method is already circulating and expects automated attacks to appear soon. Adobe, for its part, says it is not aware of in-the-wild exploitation for the issues covered by its March 10 security update.

What PolyShell is and why it matters

According to Sansec, the flaw sits in Magento’s REST API flow for cart item custom options. When a product option uses the file type, Magento processes a file_info object with base64-encoded data, a MIME type, and a filename, then writes that file into pub/media/custom_options/quote/ on the server.

Sansec says attackers can abuse that flow to smuggle executable content while disguising it as an image, which is why the company named the issue PolyShell. That creates a dangerous entry point on internet-facing stores because the upload does not require authentication.

Sansec also notes that GraphQL mutations use a different code path and are not vulnerable. That narrows the issue to the REST API path rather than Magento file handling in general.

Affected Magento and Adobe Commerce versions

Sansec says unrestricted file upload affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2. It adds that RCE and stored XSS outcomes depend on server setup, older versions, or custom configurations.

Adobe’s March 2026 security bulletin shows a broader supported-version matrix and lists patched releases that customers should move to now. Adobe says the update resolves critical, important, and moderate vulnerabilities, and warns that successful exploitation could lead to security feature bypass, denial of service, privilege escalation, arbitrary code execution, and arbitrary file system read.

Versions at a glance

Product	Affected according to Adobe	Fixed versions Adobe recommends
Adobe Commerce	2.4.9-alpha3 and earlier; 2.4.8-p3 and earlier; 2.4.7-p8 and earlier; 2.4.6-p13 and earlier; 2.4.5-p15 and earlier; 2.4.4-p16 and earlier	2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17
Magento Open Source	2.4.9-alpha3; 2.4.8-p3 and earlier; 2.4.7-p8 and earlier; 2.4.6-p13 and earlier; 2.4.5-p15 and earlier	2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16

Source: Adobe APSB26-05.

How attackers could turn the upload bug into something worse

Sansec says the uploaded file lands in pub/media/custom_options/quote/. If the server later serves or executes that content in an unsafe way, attackers can gain much more than a simple file upload.

The company outlines two main worst-case paths. One is PHP execution, which can hand the attacker remote code execution. The other is stored XSS, which can expose admins or users to malicious scripts and potentially lead to session theft or account takeover.

Even when direct execution is blocked, Sansec warns the file still remains on disk. That means a later config change, migration, or web server swap could expose a payload that looked harmless at the time of upload.

Main risk scenarios

Unauthenticated file upload through the REST API
Remote code execution on servers that execute uploaded PHP content
Stored XSS on affected versions or unsafe custom configurations
Delayed exposure if uploaded files remain reachable after a future config change

These scenarios come from Sansec’s technical analysis and recommendations.

What store owners should do now

The most important step is patching. Adobe has published fixed versions and recommends customers update to the newest supported release. That is the cleanest path because it removes the vulnerable code rather than only trying to contain the fallout.

Sansec also recommends locking down access to pub/media/custom_options/ and verifying that Apache or nginx rules actually block access to the upload directory. The company stresses that blocking access alone does not stop uploads, so defensive filtering at the edge still matters.

Sansec further advises scanning stores for web shells, backdoors, and malware. That is especially important for large storefronts that rely on custom hosting templates, inherited configs, or older server rules that may not match Adobe’s safer sample configuration.

Immediate mitigation steps

Upgrade Adobe Commerce or Magento Open Source to Adobe’s fixed builds
Restrict access to pub/media/custom_options/
Verify nginx or Apache rules block access to that upload path
Scan the store for web shells, backdoors, and other malware
Review custom server configs that may pass uploaded .php files to execution handlers

Separate Magento attack wave adds more pressure

This disclosure lands as Netcraft tracks a large Magento defacement campaign that began on February 27, 2026. Netcraft says attackers deployed defacement text files across about 15,000 hostnames spanning 7,500 domains, including major brands, ecommerce infrastructure, and government services.

Netcraft does not link that campaign to PolyShell in the source reviewed here. Still, the timing raises the stakes for Magento defenders because it shows attackers already have strong interest in exposed Magento environments right now. That connection is an inference based on timing, not a confirmed overlap in intrusion method.

FAQ

What is the Magento PolyShell flaw?

PolyShell is Sansec’s name for an unauthenticated file upload flaw in the Magento and Adobe Commerce REST API. Sansec says attackers can disguise code as an image and upload it to the server.

Does PolyShell allow remote code execution?

It can, but not on every store. Sansec says RCE depends on web server configuration. On other setups, the flaw may lead to stored XSS and possible account takeover instead.

Which Magento versions are affected?

Sansec says all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2 are affected by the unrestricted upload issue. Adobe’s March bulletin lists affected supported branches through 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16.

Is there evidence of active exploitation?

Sansec says it has not observed active exploitation so far. Adobe also says it is not aware of in-the-wild exploits for the vulnerabilities covered in its March update.

What should store owners do first?

Update to Adobe’s fixed versions, block access to the upload directory, and scan for malware or web shells.

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by: