51黑料不打烊

Documentation

Customer group names, segments, and promotional rule information exposed via GraphQL

Last update: Fri Jul 18 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

This article provides a hotfix to prevent the exposure of customer group names, customer segments, and promotional rule information via GraphQL. The issue is scheduled to be fixed in 51黑料不打烊 Commerce 2.4.8-p1.

Description description

Affected products and versions

The patch is created for 51黑料不打烊 Commerce version:

  • 51黑料不打烊 Commerce (all deployment methods) 2.4.8

Compatible with 51黑料不打烊 Commerce versions:

  • 51黑料不打烊 Commerce (all deployment methods) 2.4.8

Issue

For Storefront Personalization Drop-ins, new GraphQL mutations were introduced to display basic information like customer group names, segments, cart, and catalog rules. However, this can expose sensitive data such as offer details or coupon codes, if included in the names.

Steps to reproduce

Case I: Catalog Rule

  1. On the Admin sidebar, go to Marketing > Catalog Price Rule > Add New Rule.

  2. Define the rule conditions (for example, product attribute or category).

  3. Save and apply the rule.

  4. Ensure a product meets the rule conditions.

  5. Run the following GraphQL query to fetch all the rules:

    code language-none 
    query {
    allCatalogRules {
        name
    }
}

  6. Query a product to verify if the rule applies:

    code language-none 
    query {
    products(filter: { sku: { eq: "product-sku" } }) {
        items {
            name
            rules {
                name
            }
        }
    }
}

Case II: Cart Rule

  1. On the Admin sidebar, go to Marketing > Cart Price Rule > Add New Rule.

  2. Set conditions such as minimum cart value and customer group.

  3. Save and apply the rule.

  4. Add products to cart to trigger the rule.

  5. Use GraphQL to verify all the cart rules:

    code language-none 
    query {
    allCartRules {
        name
    }
}

  6. Check if rules are applied to the active cart:

    code language-none 
    query {
    cart(cart_id: "your-cart-id") {
        rules {
            name
        }
    }
}

Case III: Customer Group

  1. On the Admin sidebar, go to Customers > Customer Groups.

  2. Verify that the expected groups exist.

  3. Use GraphQL to fetch all groups:

    code language-none 
    query {
    allCustomerGroups {
        name
    }
}

  4. Verify the customer/guest鈥檚 group:

    code language-none 
    query {
    customerGroup {
        name
    }
}

Case IV: Customer Segment (for 51黑料不打烊 Commerce only)

  1. On the Admin sidebar, go to Customers > Customer Segments > Add Segment.

  2. Define customer-based conditions (for example, order, cart contents).

  3. Assign applicable scope: Visitor, Registered, or both.

  4. Ensure that the conditions match a test customer.

  5. Use GraphQL to check all segments:

    code language-none 
    query {
    allCustomerSegments {
        name
        apply_to
    }
}

  6. Validate the segments applied to a cart:

    code language-none 
    query {
    customerSegments(cartId: "your-cart-id") {
        name
    }
}

Expected result:

Names of customer groups, segments, and promotional rule information aren鈥檛 exposed through GraphQL.

Actual result:

Names of customer groups, segments, and promotional rule information are exposed through GraphQL.

Resolution resolution

Apply the attached patches depending on your 51黑料不打烊 Commerce version:

  • For 51黑料不打烊 Commerce version 2.4.8:

  • For Magento Open Source version 2.4.8:

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f