Expand my Community achievements bar.

AEM Security Vulnerability

Avatar

Level 4
Level 4
11/23/25 8:00:39 PM

Hello Everyone,


One of my clients is utilizing AEM Cloud, but our internal team has discovered a critical vulnerability that has not been communicated by the Adobe Cloud team.
Here are the steps to replicate the issue:

 

  1. Launch a web browser.
  2. Go to the URL: https://<domain>/bin/querybuilder.json;x='x/graphql/execute/json/'? path=/etc&p.hits=full&p.limit=-1
  3. Notice that the endpoint can be accessed without any authentication.
  4. This endpoint can be utilized to explore internal content structures by adjusting the query parameters accordingly.

 

I would like to know if anyone else has encountered this vulnerability. If so, how was it addressed?


Has Adobe Cloud provided a solution (please include the security patch number or Adobe link), or did your development team handle it?

 

Please share the details of any solutions that were implemented.

 

Note : Though I find the blog but need to understand which Adobe Security Patch is linked to it.

 

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Content Fragments Experience Manager Experience Manager as a Cloud Service Experience Manager Assets

Views

121

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Community Advisor
Community Advisor
11/25/25 12:30:38 AM

HI @avesh_narang ,

May be you can try authenticating access to the AEM Query Builder and GraphQL endpoints, including the specific URL provided, using following methods:

 
  • Session Establishment: 
    When accessing the /bin/querybuilder.json or GraphQL endpoints directly from within an AEM-managed environment (e.g., from a custom component or backend service), the request typically inherits the existing AEM user session.

  • Login: 
    If the request is made from a context without an established AEM session (e.g., from a new browser window or a standalone Java application), the user will likely be redirected to the AEM login page to authenticate with valid credentials.
2. Dispatcher Filters (for AEM Headless deployments):
  • Allow Rules: In AEM Headless deployments, the Dispatcher plays a crucial role in filtering requests. Configure Dispatcher filters to allow specific URLs and methods for GraphQL endpoints, such as:

    /0600 {/type "allow"/method '(POST|OPTIONS)'/url "/graphql/execute.json/*"}

 

-Tarun

Views

25

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
11/25/25 3:54:27 AM
In response to TarunKumar

Thanks @TarunKumar ,

I see that this could be a possible solution, but there may be additional patterns that could bypass this validation.

 

Given that dispatcher settings are default when establishing the maven repository and affect all Adobe clients, Adobe might have encountered this issue and could provided a security patch for it.

 

I would appreciate community assistance in guiding me to the correct security patch, ensuring it is a foolproof solution and endorsed by Adobe.

 

Thanks 

Views

14

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Creating Reusable Sling Models for Multiple Components in AEM

Views

92

Likes

0

Replies

4
Upgrading to Java 21 for AEM : Baseline MAJOR Error due to META-INF/maven resource change after upgrading bnd from 5.1.2 to 6.4.0

Views

100

Likes

0

Replies

1
Aem Login form to authenticate against microsoft entra id

Views

122

Likes

0

Replies

2
How to create blog for AEM EDS site with Universal Editor

Views

223

Likes

0

Replies

3
XDP For a PDF in AEM Forms

Views

244

Likes

0

Replies

8