⏰ Magento v2.4.8 "Feature" #2 — allCustomerGroups ⏰
In Magento v2.4.8, the names of all customer groups are publicly accessible via a single GraphQL query — no authentication required.
Yep, even if your store only shows special pricing, payment options, or products to certain customer groups (like Wholesale, VIP, B2B Tier 3, Retail EU, etc.), the entire list of those groups is out in the open by default.
Here's all it takes:
curl --location 'yourmagentostore/graphql' \
--header 'Content-Type: application/json' \
--data '{"query":"query {\n allCustomerGroups {\n name\n }\n}","variables":{}}'The response? Something like:
{
"data": {
"allCustomerGroups": [
{
"name": "NOT LOGGED IN"
},
{
"name": "General"
},
{
"name": "Wholesale"
},
{
"name": "Retailer"
}
]
}
}Why does this matter?
- Attackers now know which customer groups exist and can probe for pricing or access differences.
- Internal group names meant for staff or staging environments are now public.
- Any custom logic tied to group names? It's now easier to reverse-engineer.
- This is potentially risky for stores using Magento’s shared catalogs, customer group–based pricing, or B2B features.
How to turn it off?
bin/magento config:set customer/account_information/graphql_share_all_customer_groups 0Until then, this data is up for grabs.
If you're an Adobe Commerce merchant using B2B or customer group segmentation, escalate this to your team and open a ticket immediately.