Queue Jumping to RCE: Algolia for Magento 2 Object Instantiation
Jan 14, 2026·6 min read·8 visits
Executive Summary (TL;DR)
The Algolia Magento 2 extension trusts database content too much. It uses a custom SQL-based queue system where the class name and method to be executed are stored as plain text. If an attacker can inject a row into this table (via SQL Injection or compromised DB credentials), they can trigger the Magento ObjectManager to execute any public method on any class in the codebase, leading to immediate RCE. The fix implements a strict whitelist of allowed handlers.
A critical vulnerability in the Algolia Search & Discovery extension for Magento 2 allows for Remote Code Execution via insecure handling of queue jobs. By manipulating the `algoliasearch_queue` table, an attacker can force the application to instantiate arbitrary classes and execute arbitrary methods.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Algolia Search & Discovery for Magento 2 Algolia | < 3.16.2 | 3.16.2 |
Algolia Search & Discovery for Magento 2 Algolia | < 3.17.2 | 3.17.2 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Untrusted Data Handling / Insecure Deserialization |
| CWE ID | CWE-470 |
| Attack Vector | Local/Network (via Database Access) |
| Impact | Remote Code Execution (RCE) |
| CVSS Score (Est.) | 9.1 (Critical) |
| Exploit Status | PoC Available (Theoretical) |
MITRE ATT&CK Mapping
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')