PolyShell Vulnerability Discovered in Magento REST API
Security researchers at Sansec discovered a critical vulnerability in Magento's REST API that enables unauthenticated attackers to upload arbitrary executable files and achieve remote code execution on e-commerce stores. The flaw, designated PolyShell by Sansec, exploits weaknesses in how Magento's API processes file uploads, specifically allowing malicious code to be disguised as legitimate image files.
The vulnerability was identified during routine security research conducted by Sansec's threat intelligence team in March 2026. The attack vector leverages Magento's REST API endpoints that handle media uploads, bypassing standard file validation mechanisms that typically prevent executable uploads. Attackers can craft specially formatted files that appear as valid images to the upload validation system while containing embedded executable code that gets processed by the server.
According to BleepingComputer's security analysis, the vulnerability stems from insufficient input validation in Magento's media handling components. The REST API fails to properly sanitize uploaded files, allowing attackers to embed PHP code or other server-side scripts within image headers or metadata sections. When these files are processed by the server, the embedded code executes with the same privileges as the web application.
The attack technique represents a sophisticated form of polyglot file exploitation, where a single file serves multiple purposes depending on how it's interpreted. In this case, the malicious file functions as both a valid image format and an executable script. This dual nature allows it to pass initial security checks while maintaining its malicious payload for later execution. The vulnerability affects the core REST API functionality that many Magento installations rely on for content management and third-party integrations.
Related: OpenClaw AI Critical RCE Flaw Patched — All Developers Must
Related: CISA Adds Critical n8n RCE Flaw to KEV Catalog
Related: CISA Orders Federal Agencies to Patch n8n RCE Flaw
Related: CVE-2026-32746: Critical GNU Telnet Flaw Allows RCE
Related: Oracle Patches Critical RCE Flaw in Identity Manager
Magento Installations Vulnerable to PolyShell Attacks
The PolyShell vulnerability affects Magento Commerce and Magento Open Source installations that expose REST API endpoints for media uploads. This includes both cloud-hosted Magento Commerce instances and self-hosted Magento Open Source deployments running default configurations. E-commerce stores using Magento's standard media management features are particularly at risk, as these systems typically allow file uploads through various API endpoints.
Magento installations with custom API configurations or third-party extensions that interact with the REST API may face elevated risk levels. The vulnerability impacts stores regardless of their hosting environment, affecting both shared hosting platforms and dedicated server deployments. Small to medium-sized e-commerce businesses running Magento without dedicated security teams are especially vulnerable, as they may lack the resources to implement comprehensive API security monitoring.
The potential impact extends beyond individual store compromises. Successful exploitation could lead to complete server takeover, allowing attackers to access customer databases, payment information, and administrative credentials. In multi-tenant hosting environments, a compromised Magento installation could serve as a pivot point for lateral movement to other hosted applications. The vulnerability also poses risks to supply chain security, as compromised e-commerce platforms could be used to distribute malware to customers or inject malicious scripts into legitimate transactions.
Mitigation Steps for PolyShell Vulnerability
Organizations running Magento installations should immediately implement several defensive measures to protect against PolyShell attacks. First, administrators should review and restrict REST API access permissions, ensuring that only authenticated users with appropriate privileges can access media upload endpoints. This involves configuring API authentication tokens and implementing proper access controls through Magento's admin panel or configuration files.
Network-level protections should include implementing Web Application Firewall (WAF) rules that inspect uploaded files for suspicious content patterns. Security teams should configure their WAF to block files containing embedded scripts or unusual metadata structures. Additionally, file upload directories should be configured with strict execution permissions, preventing any uploaded content from being executed directly by the web server. This can be achieved through .htaccess rules on Apache servers or equivalent configurations on Nginx deployments.
For immediate protection, administrators should consider temporarily disabling non-essential REST API endpoints until official patches become available. This can be done through Magento's API configuration settings or by implementing reverse proxy rules that block specific API routes. Organizations should also enable comprehensive logging for all API requests, particularly those involving file uploads, to detect potential exploitation attempts. Regular security audits of uploaded files and monitoring for unexpected executable content in media directories are essential ongoing protective measures.
Long-term security improvements should include implementing content security policies that restrict script execution from uploaded content areas and establishing regular vulnerability scanning procedures for Magento installations. Organizations should also consider implementing additional file validation layers that perform deep content inspection beyond standard MIME type checking, ensuring that uploaded files match their declared formats throughout their entire structure.
