CVE-2026-42155
CriticalSummary
In Magento Long Term Support (LTS) versions prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated time-based method, leading to low entropy levels. This violates OWASP ASVS and NIST standards, allowing attackers to perform brute-force attacks on active API sessions.
Risk Assessment
Organizations using Magento LTS may be at risk of session hijacking, potentially leading to unauthorized access to system data and functions. The lack of proper security in session ID generation poses a high risk.
Recommendation
It is recommended to upgrade to version 20.18.0 or later to benefit from the improved session ID generation mechanism. Additionally, implementing API rate limiting can help minimize the risk of brute-force attacks.
Original NVD description (English source)
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). All inputs to the MD5 hash are time-derived and non-secure. Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions. This vulnerability is fixed in 20

