ACSD-60584: Access token created for one website is allowed to access information on other websites

The ACSD-60584 patch fixes the issue where the access token created for the user on one website is allowed to access or change customer information on other websites. This patch is available when the Quality Patches Tool (QPT) 1.1.53 is installed. The patch ID is ACSD-60584. Please note that the issue is scheduled to be fixed in Adobe Commerce 2.4.8.

Affected products and versions

The patch is created for Adobe Commerce version:

  • Adobe Commerce (all deployment methods) 2.4.6-p1

Compatible with Adobe Commerce versions:

  • Adobe Commerce (all deployment methods) 2.4.5 - 2.4.6-p8
NOTE
The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.

Issue

The API token created for the user on one website allows you to access customer information, create a cart, and add products to the cart on other website views.

Steps to reproduce:

  1. Ensure Share Customer Accounts configuration is set to Per Website.
  2. Create additional website, store, and storeview.
  3. Create two customers with the same email on the main website and the website from the previous step.
  4. Generate a customer token via GraphQL on the main website.
  5. Using the generated token, send a customer GraphQL query with the second website in the header to retrieve customer information.
  6. Observe the returned result.

Expected results:

Customer information from the main website is returned because the token from the main website is used in GraphQL query.

Actual results:

Customer information from the second website is returned.

Apply the patch

To apply individual patches, use the following links depending on your deployment method:

To learn more about Quality Patches Tool, refer to:

For info about other patches available in QPT, refer to Quality Patches Tool: Search for patches in the Quality Patches Tool guide.

recommendation-more-help
c2d96e17-5179-455c-ad3a-e1697bb4e8c3