DocumentationCommerceCommerce KB

[PaaS only]{class="badge informative" title="Applies to Adobe Commerce on Cloud projects (Adobe-managed PaaS infrastructure) and on-premises projects only."}

Customer group names, segments, and promotional rule information exposed via GraphQL

Last update: Thu May 08 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Admin
  • Developer

This article provides a hotfix to prevent the exposure of customer group names, customer segments, and promotional rule information via GraphQL. The issue is scheduled to be fixed in Adobe Commerce 2.4.8-p1.

Affected products and versions

The patch is created for Adobe Commerce version:

  • Adobe Commerce (all deployment methods) 2.4.8

Compatible with Adobe Commerce versions:

  • Adobe Commerce (all deployment methods) 2.4.8

Issue

For Storefront Personalization Drop-ins, new GraphQL mutations were introduced to display basic information like customer group names, segments, cart, and catalog rules. However, this can expose sensitive data such as offer details or coupon codes, if included in the names.

Steps to reproduce

Case I: Catalog Rule

  1. On the Admin sidebar, go to Marketing > Catalog Price Rule > Add New Rule.

  2. Define the rule conditions (for example, product attribute or category).

  3. Save and apply the rule.

  4. Ensure a product meets the rule conditions.

  5. Run the following GraphQL query to fetch all the rules:

    code language-none 
    query {
    allCatalogRules {
        name
    }
}

  6. Query a product to verify if the rule applies:

    code language-none 
    query {
    products(filter: { sku: { eq: "product-sku" } }) {
        items {
            name
            rules {
                name
            }
        }
    }
}

Case II: Cart Rule

  1. On the Admin sidebar, go to Marketing > Cart Price Rule > Add New Rule.

  2. Set conditions such as minimum cart value and customer group.

  3. Save and apply the rule.

  4. Add products to cart to trigger the rule.

  5. Use GraphQL to verify all the cart rules:

    code language-none 
    query {
    allCartRules {
        name
    }
}

  6. Check if rules are applied to the active cart:

    code language-none 
    query {
    cart(cart_id: "your-cart-id") {
        rules {
            name
        }
    }
}

Case III: Customer Group

  1. On the Admin sidebar, go to Customers > Customer Groups.

  2. Verify that the expected groups exist.

  3. Use GraphQL to fetch all groups:

    code language-none 
    query {
    allCustomerGroups {
        name
    }
}

  4. Verify the customer/guest’s group:

    code language-none 
    query {
    customerGroup {
        name
    }
}

Case IV: Customer Segment (for Adobe Commerce only)

  1. On the Admin sidebar, go to Customers > Customer SegmentsAdd Segment.

  2. Define customer-based conditions (for example, order, cart contents).

  3. Assign applicable scope: Visitor, Registered, or both.

  4. Ensure that the conditions match a test customer.

  5. Use GraphQL to check all segments:

    code language-none 
    query {
    allCustomerSegments {
        name
        apply_to
    }
}

  6. Validate the segments applied to a cart:

    code language-none 
    query {
    customerSegments(cartId: "your-cart-id") {
        name
    }
}

Expected result:

Names of customer groups, segments, and promotional rule information aren’t exposed through GraphQL.

Actual result:

Names of customer groups, segments, and promotional rule information are exposed through GraphQL.

Solution

Apply the attached patches depending on your Adobe Commerce version:

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a