Skip to Content

Critical Magento REST API File Upload Flaw (PolyShell) – What You Need to Know

21 March 2026 by
TechStora

Sansec has reported a critical security flaw in the Magento REST API that enables unauthenticated attackers to upload arbitrary files to the server.

The vulnerability, dubbed PolyShell, relies on disguising malicious code as an image file. When a product option of type file is submitted, Magento processes an embedded fileinfo object that contains base64‑encoded data, a MIME type, and a filename. The file is then written to pub/media/custom_options/quote on the host.

Depending on the servers configuration, the uploaded file can be executed as PHP code, granting remote code execution, or it can be used for stored XSS attacks that lead to account takeover.

Affected Software

  • All Magento Open Source versions up to 2.4.9‑alpha2
  • All Adobe Commerce versions up to 2.4.9‑alpha2

Adobe has released a fix in the 2.4.9‑prerelease branch (referenced in APSB‑2594), but the patch is not yet available for current production releases.

Potential Impact

  • Remote code execution via PHP file upload
  • Stored XSS leading to account takeover
  • Defacement of storefronts when attackers place plain‑text files in publicly accessible directories

Mitigation Steps

  1. Apply the official Adobe patch as soon as it becomes available for your version.
  2. Review and tighten web‑server configuration to prevent execution of files in pub/media/custom_options/quote. For Apache, add php_flag engine off for that directory for Nginx, deny execution of PHP scripts there.
  3. Restrict file‑type handling in the REST API: allow only the specific image MIME types required for legitimate use.
  4. Implement a Web Application Firewall (WAF) that can inspect multipart requests and block suspicious file uploads.
  5. Audit existing files in the affected directory for unexpected scripts or non‑image content.
  6. Monitor server logs for unusual upload activity, especially POST requests to /rest/V1/carts that contain a fileinfo payload.

Additional Context

Netcraft has observed an ongoing campaign that began on 27 February 2026, targeting Magento stores across multiple sectors. Attackers upload plain‑text files to publicly accessible directories, resulting in widespread defacement.

Store owners should act promptly to apply the recommended configuration changes and keep an eye on future Adobe security advisories for the official patch.