Magento PolyShell: unrestricted file upload in Magento and Adobe Commerce
A new vulnerability in the Magento and Adobe Commerce REST API allows attackers to upload executable files to any store. Adobe fixed the issue in a pre-release version but has not backported the patch. 55.1% of all stores run web server configurations that enable either remote code execution (RCE) or account takeover (stored XSS).
A critical flaw in Magento's REST API lets unauthenticated attackers upload executable files to any store. We named the vulnerability "PolyShell" because the attack uses a polyglot (code disguised as image).
Sansec has not observed active exploitation so far. However, the exploit method is circulating already and Sansec expects automated attacks to appear soon.
Affected versions
- Unrestricted file upload — all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2
- Stored XSS — all versions pre-2.3.5 or custom webserver config
- RCE via PHP upload — stock nginx 2.0.0–2.2.x (via
index.phpfilename), any version with non-stock nginx passing all.phpto fastcgi, Apache pre-2.3.5 withoutphp_flag engine 0 - Patched — 2.4.9-alpha3+ (pre-release only)
The vulnerable code has existed since the very first Magento 2 release. Adobe fixed it in the 2.4.9 pre-release branch as part of APSB25-94, but no isolated patch exists for current production versions. While Adobe provides a sample web server configuration that would largely limit the fallout, the majority of stores use a custom configuration from their hosting provider. Sansec investigated all known Magento and Adobe Commerce stores and found that 55.1% expose files in the upload directory.
Even when execution is blocked, the uploaded file stays on disk. A future configuration change, server migration, or web server swap could expose it.
Recommendations
There is no official patch available for production Magento versions. Until Adobe releases one:
- Block attacks in real-time. Deploy Sansec Shield to block PolyShell exploitation attempts (use POLYSHELL to run it one month free of charge).
- Restrict access to the upload directory. Verify that your web server blocks all access to
pub/media/custom_options/. For nginx, ensure alocationblock withdeny allexists and is not overridden by a\.php$regex match. For Apache, verify the.htaccessfile is present and effective. NB. blocking access does not block uploads, so people will still be able to upload malicious code if you aren't using a specialized WAF. - Scan for compromise. Run eComscan to detect uploaded webshells, backdoors, and other malware.
Technical analysis
Magento's REST API accepts file uploads as part of the cart item custom options. When a product option has type "file", Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename. The file is written to pub/media/custom_options/quote/ on the server.
GraphQL mutations use a different code path and are not vulnerable.
Timeline
| Date | Event |
|---|---|
| 2026-03-16 | Sansec adds PolyShell protection to Shield |
| 2026-03-17 | Sansec adds detection patterns to eComscan |
| 2026-03-17 | Sansec issues public warning |
Read more
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
