Use of insufficiently random values in magento-lts - CVE-2026-42155
Published: May 5, 2026
Vulnerability identifier: #VU129644
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-42155
CWE-ID: CWE-330
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OPENMAGE
Affected software:
magento-lts
magento-lts
Detailed vulnerability description
The vulnerability allows a remote attacker to hijack active API sessions and gain the capabilities of the authenticated API user.
The vulnerability exists due to use of insufficiently random values in API session ID generation in Mage/Api/Model/Session.php start() when handling API login requests. A remote attacker can generate candidate session identifiers and send crafted API requests to hijack active API sessions and gain the capabilities of the authenticated API user.
The issue affects legacy API surfaces that share the same session generation logic, including XML-RPC, SOAP v1, SOAP v2, and legacy REST.
How to mitigate CVE-2026-42155
Install security update from vendor's website.