Expand my Community achievements bar.

AEM Security Vulnerability

Avatar

Level 4
Level 4
11/23/25 8:00:39 PM

Hello Everyone,


One of my clients is utilizing AEM Cloud, but our internal team has discovered a critical vulnerability that has not been communicated by the Adobe Cloud team.
Here are the steps to replicate the issue:

 

  1. Launch a web browser.
  2. Go to the URL: https://<domain>/bin/querybuilder.json;x='x/graphql/execute/json/'? path=/etc&p.hits=full&p.limit=-1
  3. Notice that the endpoint can be accessed without any authentication.
  4. This endpoint can be utilized to explore internal content structures by adjusting the query parameters accordingly.

 

I would like to know if anyone else has encountered this vulnerability. If so, how was it addressed?


Has Adobe Cloud provided a solution (please include the security patch number or Adobe link), or did your development team handle it?

 

Please share the details of any solutions that were implemented.

 

Note : Though I find the blog but need to understand which Adobe Security Patch is linked to it.

 

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Content Fragments Experience Manager Experience Manager as a Cloud Service Experience Manager Assets

Views

104

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Reply

Avatar

Community Advisor
Community Advisor
11/25/25 12:30:38 AM

HI @avesh_narang ,

May be you can try authenticating access to the AEM Query Builder and GraphQL endpoints, including the specific URL provided, using following methods:

 
  • Session Establishment: 
    When accessing the /bin/querybuilder.json or GraphQL endpoints directly from within an AEM-managed environment (e.g., from a custom component or backend service), the request typically inherits the existing AEM user session.

  • Login: 
    If the request is made from a context without an established AEM session (e.g., from a new browser window or a standalone Java application), the user will likely be redirected to the AEM login page to authenticate with valid credentials.
2. Dispatcher Filters (for AEM Headless deployments):
  • Allow Rules: In AEM Headless deployments, the Dispatcher plays a crucial role in filtering requests. Configure Dispatcher filters to allow specific URLs and methods for GraphQL endpoints, such as:

    /0600 {/type "allow"/method '(POST|OPTIONS)'/url "/graphql/execute.json/*"}

 

-Tarun

Views

8

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Hello, I have a question when updating an asset's metadata using the Assets API in AEM as a Cloud Service. Solved

Views

251

Likes

0

Replies

3
Upgrading to Java 21 for AEM : Baseline MAJOR Error due to META-INF/maven resource change after upgrading bnd from 5.1.2 to 6.4.0

Views

95

Likes

0

Replies

1
Aem Login form to authenticate against microsoft entra id

Views

116

Likes

0

Replies

2
How to create blog for AEM EDS site with Universal Editor

Views

211

Likes

0

Replies

3
XDP For a PDF in AEM Forms

Views

239

Likes

0

Replies

8