Preconditions and environment

• Magento version: 2.4.x (affects all versions with DynamicStorage)
• Environment: Any Magento installation with:
  • CMS pages with URL rewrites (e.g., privacy-policy-cookie-restriction-mode)
  • Categories with URL rewrites (e.g., schroeven)
  • Catalog URL Rewrite module enabled
• Modules: Default Magento installation (no third-party modules required to reproduce)
• URL Structure: Category URLs with CMS page identifiers as suffixes

Steps to reproduce

Prerequisites Setup:

1. Create Category:

   • Create a category with URL key schroeven
   • Note the category entity_id (e.g., ID = 48)

2. Create CMS Page:

   • Create a CMS page with identifier privacy-policy-cookie-restriction-mode
   • Note the CMS page entity_id (e.g., ID = 4)

3. Create Product with Matching ID:

   • Create a product with entity_id = 4 (same as CMS page ID)
   • This is crucial - the product ID must match the CMS page ID
   • Assign this product to the schroeven category (ID 48)
   • Ensure the product is enabled and visible

4. System Maintenance:

   bin/magento indexer:reindex
   bin/magento cache:clean
   bin/magento cache:flush

Reproduction Steps:

5. Verify URL rewrites exist in database:

   -- Should show CMS page rewrite
   SELECT * FROM url_rewrite WHERE request_path = 'privacy-policy-cookie-restriction-mode';
   -- Should show category rewrite  
   SELECT * FROM url_rewrite WHERE request_path = 'schroeven.html';

6. Navigate to malformed URL: /schroeven/privacy-policy-cookie-restriction-mode

7. Observe the response

Why This Setup Is Required:

• DynamicStorage extracts privacy-policy-cookie-restriction-mode
• Finds CMS page with entity_id=4 (but treats it as product_id=4)
• Checks if product_id=4 can be shown in category_id=48 using ProductResource::canBeShowInCategory(4, 48)
• Since product ID 4 IS assigned to category 48, the check passes
• DynamicStorage creates: /cms/page/view/page_id/4/category/48

Expected result

The URL /schroeven/privacy-policy-cookie-restriction-mode should return HTTP 404 because:

• It's not a valid product URL pattern
• It's not a valid category URL
• It's not a valid CMS page URL
• This malformed URL pattern should not resolve to any content

Actual result

The URL /schroeven/privacy-policy-cookie-restriction-mode returns HTTP 200 and serves the CMS page content with category context.

Root Cause Analysis:
The issue occurs in vendor/magento/module-catalog-url-rewrite/Model/Storage/DynamicStorage.php:

1. Method findProductRewriteByRequestPath() extracts privacy-policy-cookie-restriction-mode from the URL
2. It queries url_rewrite table WITHOUT filtering by entity_type
3. Query finds the CMS page URL rewrite (entity_type = 'cms-page')
4. DynamicStorage treats the CMS page as if it's a product
5. Creates malformed target path: /cms/page/view/page_id/X/category/Y
6. UrlRewrite Router serves this as valid content

Problematic Code (line ~147):

$productFromDb = $this->connection->fetchRow($this->prepareSelect($data));

The $data array only contains request_path and store_id - missing entity_type = 'product' filter.

Additional information

Database Evidence:

-- This query shows the CMS page that gets incorrectly matched
SELECT * FROM url_rewrite WHERE request_path = 'privacy-policy-cookie-restriction-mode';
-- Returns: entity_type='cms-page', entity_id=4, target_path='cms/page/view/page_id/4'

Debug Logs:
When processing /schroeven/privacy-policy-cookie-restriction-mode:

1. UrlRewrite Router calls DynamicStorage
2. DynamicStorage finds CMS page data (should only find products)
3. Router creates Forward action to /cms/page/view/page_id/4/category/48

Affected Code Files:

• vendor/magento/module-catalog-url-rewrite/Model/Storage/DynamicStorage.php (lines 140-200)
• Method: findProductRewriteByRequestPath()

Suggested Fix:
Add entity_type filtering in the database query:

// Before querying for "product" data, ensure we only get products
$data[UrlRewrite::ENTITY_TYPE] = 'product';
$productFromDb = $this->connection->fetchRow($this->prepareSelect($data));

Security Impact: None - this is a URL routing issue, not a security vulnerability.

Performance Impact: Minimal - affects only specific URL patterns.

Workaround: Plugin on UrlRewrite Router to block malformed URL patterns before they reach DynamicStorage.

Release note

Fixed DynamicStorage URL rewrite query to properly filter by entity_type, preventing CMS pages from being incorrectly processed as products in category URL contexts.

Triage and priority

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.

  Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.

  Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.

  Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.

  Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.
  To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.