Skip to content

Instantly share code, notes, and snippets.

@damienwebdev

damienwebdev/magento-v2.4.8-rules-feature.md

Last active April 14, 2025 22:12
Show Gist options
  • Save damienwebdev/ad47590568628508165fe420da2f1e56 to your computer and use it in GitHub Desktop.
Save damienwebdev/ad47590568628508165fe420da2f1e56 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
magento-v2.4.8-rules-feature.md

❗ Magento v2.4.8 "Feature" ❗

In Magento v2.4.8, the names of all Cart Rule and Catalog Rule promotions are public and enumerable by default via a single network request (per type).

Are you a customer of a store that uses Magento? Guess what — all promotions that store has configured are now publicly accessible. Just pick a URL and fire away:

curl --location 'https://www.yourmagentostore.com/graphql' \
--header 'Content-Type: application/json' \
--data '{"query":"query {\n    allCartRules {\n        name\n    }\n}","variables":{}}'

Not everything about the promotion is exposed — only the name — but that’s still significant. If a merchant includes the promo code in the promotion name (e.g., SPRING20, CHAMPIONSHIP10, 2025BLOWOUT), that code is now public knowledge.

This includes past promotions that are still active as well as upcoming ones.

  • Want to wait for a better deal? Query the API to see if there's an upcoming promotion.
  • Want to know if there's a TESTFREEORDER code that the merchant uses for testing? Now you can.

Coupons.com, Honey, Groupon, RetailMeNot — they’re going to have a field day.

Want to disable it?

bin/magento config:set promo/graphql/share_all_sales_rule 0
bin/magento config:set catalog/rule/share_all_catalog_rules 0

If you're an Adobe Commerce merchant, notify your team and open a support ticket ASAP.

Good luck running parallel or stealth promotions with this enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment