Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user’s account.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24401
Reference (s):
- https://helpx.adobe.com/security/products/magento/apsb20-59.html
- URL: https://helpx.adobe.com/security/products/magento/apsb20-59.html