GHSA-595p-g7xc-c333: Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling

January 14, 2026

Versions of the Algolia Search & Discovery extension for Magento 2 prior to 3.17.2 and 3.16.2 contain a vulnerability where data read from the database was treated as a trusted source during job execution.

If an attacker is able to modify records used by the extension’s indexing queue, this could result in arbitrary PHP code execution when the affected job is processed.

Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.

References

github.com/advisories/GHSA-595p-g7xc-c333
github.com/algolia/algoliasearch-magento-2
github.com/algolia/algoliasearch-magento-2/releases/tag/3.16.2
github.com/algolia/algoliasearch-magento-2/releases/tag/3.17.2
github.com/algolia/algoliasearch-magento-2/security/advisories/GHSA-595p-g7xc-c333

Code Behaviors & Features

Detect and mitigate GHSA-595p-g7xc-c333 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →