PT-2026-6367 · Packagist · Algolia/Algoliasearch-Magento-2

Published

2026-01-14

·

Updated

2026-01-14

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Impact

Versions of the Algolia Search & Discovery extension for Magento 2 prior to 3.17.2 and 3.16.2 contain a vulnerability where data read from the database was treated as a trusted source during job execution.
If an attacker is able to modify records used by the extension’s indexing queue, this could result in arbitrary PHP code execution when the affected job is processed.
Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.

Patches

This vulnerability has been fixed in the following versions:
  • 3.17.2
  • 3.16.2
Merchants should upgrade to a supported patched version immediately.
Versions outside the supported maintenance window do not receive security updates and remain vulnerable.

Workarounds

Upgrading to a patched version is the only recommended remediation.
If an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure:
  • Disable the Algolia indexing queue to prevent queued jobs from being executed.
  • Restrict job execution logic to an explicit allowlist of permitted operations.
  • Review the contents of the algoliasearch queue table for unexpected or unrecognized entries.
  • If queue archiving is enabled, review historical records in algoliasearch queue archive.
These mitigations are provided as guidance only and do not replace upgrading to a patched version.

References

  • Algolia Search & Discovery for Magento 2 releases:
  • 3.16.2
  • 3.17.2

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

GHSA-595P-G7XC-C333

Affected Products

Algolia/Algoliasearch-Magento-2