CVE-2026-42155

Name of the Vulnerable Software and Affected Versions Magento Long Term Support (LTS) versions prior to 20.18.0

Description The XML-RPC and SOAP API session ID is generated using an outdated, time-based construction instead of a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). The generation process relies on the start() function, which uses an MD5 hash of time-derived and non-secure inputs, including time() and uniqid(). Because the resulting digest depends on the timestamp and the PHP internal Linear Congruential Generator (LCG) state, the entropy is severely limited.

An attacker can narrow the LCG window through server state leaks or predictability and, by exploiting the lack of API rate-limiting, execute a high-speed online brute-force attack to hijack active API sessions. This affects the following endpoints:

Recommendations Update to version 20.18.0. As a temporary workaround, restrict access to the vulnerable API endpoints '/api/xmlrpc/', '/api/soap/', '/api/v2 soap/', and '/api/rest/' to minimize the risk of exploitation.