Arbitrary Code Injection Affecting algolia/algoliasearch-magento-2 package, versions <3.16.2>=3.17.0-beta.1, <3.17.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-ALGOLIAALGOLIASEARCHMAGENTO2-14944657
- published15 Jan 2026
- disclosed14 Jan 2026
- creditIvan Chepurnyi
Introduced: 14 Jan 2026
New CVE NOT AVAILABLE CWE-94 (opens in a new tab)How to fix?
Upgrade algolia/algoliasearch-magento-2 to version 3.16.2, 3.17.2 or higher.
Overview
algolia/algoliasearch-magento-2 is an Algolia Search & Discovery extension for Magento 2
Affected versions of this package are vulnerable to Arbitrary Code Injection via the job execution process. An attacker can execute arbitrary PHP code by injecting malicious data into the database records used by the indexing queue.
Note: This is only exploitable if the attacker can write to the database and the indexing queue is enabled.
Workaround
This vulnerability can be mitigated by disabling the indexing queue, restricting job execution logic to an explicit allowlist of permitted operations, and reviewing the contents of the algoliasearch_queue and algoliasearch_queue_archive tables for unexpected entries.