CVE-2026-40098 | OpenMage magento-lts up to 20.16.x Download Endpoint sharing_code authorization (GHSA-665x-ppc4-685w)

VDB-358333 · CVE-2026-40098 · GHSA-665X-PPC4-685W OPENMAGE MAGENTO-LTS UP TO 20.16.X DOWNLOAD ENDPOINT SHARING_CODE AUTHORIZATION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.0 $0-$5k 2.72 Summaryinfo A vulnerability has been found in OpenMage magento-lts up to 20.16.x and classified as critical. This affects an unknown function of the component Download Endpoint. This manipulation of the argument sharing_code causes authorization. This vulnerability appears as CVE-2026-40098. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded. Detailsinfo A vulnerability was found in OpenMage magento-lts up to 20.16.x. It has been declared as critical. Affected by this vulnerability is an unknown part of the component Download Endpoint. The manipulation of the argument sharing_code with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is: Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored `buyRequest` is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue. The advisory is shared at github.com. This vulnerability is known as CVE-2026-40098 since 04/09/2026. The exploitation appears to be easy. The attack can be launched remotely. Technical details are known, but no exploit is available. Upgrading to version 20.17.0 eliminates this vulnerability. Productinfo Type E-Commerce Management Software Vendor OpenMage Name magento-lts Version 20.0 20.1 20.2 20.3 20.4 20.5 20.6 20.7 20.8 20.9 20.10 20.11 20.12 20.13 20.14 20.15 20.16 Website Product: https://github.com/OpenMage/magento-lts/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 6.3 VulDB Meta Temp Score: 6.0 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Authorization CWE: CWE-862 / CWE-863 / CWE-285 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: magento-lts 20.17.0 Timelineinfo 04/09/2026 CVE reserved 04/20/2026 +11 days Advisory disclosed 04/20/2026 +0 days VulDB entry created 04/20/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-665x-ppc4-685w Status: Confirmed CVE: CVE-2026-40098 (🔒) GCVE (CVE): GCVE-0-2026-40098 GCVE (VulDB): GCVE-100-358333 Entryinfo Created: 04/20/2026 19:54 Changes: 04/20/2026 19:54 (69) Complete: 🔍 Cache ID: 99:D86:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸