As part of our recent internal security audit, we identified a vulnerability related to unrestricted access to the Optimizely Configured Commerce Admin Console.

In the legacy V1 architecture, administrators could restrict Admin Console access by domain or IP range using configuration updates (as described in the Optimizely documentation: https://docs.developers.optimizely.com/configured-commerce/docs/restricting-access-to-admin). However, in the V3 architecture, this capability is no longer supported or configurable within the managed environment.

Our support engagement (Ticket #1788512) confirmed that this feature was not migrated to V3 due to complications with the impersonation feature and has since been deprecated. As a result, customers currently have no configuration-based control over Admin Console access restrictions.

We request an enhancement to reintroduce or provide an alternative mechanism for controlling and limiting access to the Admin Console, ideally at the domain, IP, or network level.