CVE-2026-42155

Description

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). All inputs to the MD5 hash are time-derived and non-secure. Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions. This vulnerability is fixed in 20.18.0.

Source: NVD

References

• [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42155
• [Other]https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr
• [Other]https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr

Related CVEs