Magento 2 Import Bug: Hidden Products Accessible via URL Rewrites & GraphQL
Magento 2 Import Bug: Hidden Products Accessible via URL Rewrites & GraphQL
This community insight highlights a critical bug in Magento 2 (versions 2.4.8, 2.4.6-p8, and 2.4-develop) where changing a product's visibility to "Not visible individually" via CSV import fails to properly remove its associated URL rewrite records. This leads to a significant issue: products intended to be hidden from individual access remain discoverable through their direct URLs and are still returned by GraphQL API queries, potentially impacting SEO, data consistency, and integration logic.
Problem Description:
The reported issue details a scenario where a product initially created with "Catalog, Search" visibility is later updated via a CSV import to "Not visible individually." The expected behavior is for the product's direct URL to return a 404 error and for GraphQL queries targeting that product's route to return null. However, the system's actual behavior deviates significantly.
Upon importing the CSV, the product's URL rewrite records are not deleted. Consequently, accessing the product's URL in the frontend (Luma theme) does not result in a 404. More critically for developers and integrations, a GraphQL route query using the product's URL key continues to return detailed product information, including its __typename, relative_url, redirect_code, and url_rewrites. This indicates that the system internally still considers the product route active, despite its visibility setting.
Steps to Reproduce (as reported):
- Create a product with visibility "Catalog, Search".
- Verify product accessibility in Luma frontend (no 404).
- Prepare a CSV file to change the product's visibility to "Not visible individually".
- Import the CSV file.
- Check Luma frontend: Product should ideally throw 404.
- Execute a GraphQL query for the product's route:
{ route(url: "joust-duffle-bag.html") { __typename relative_url redirect_code type ... on SimpleProduct { sku url_key uid url_rewrites { url parameters { name value } } relative_url redirect_code type } } }
Expected vs. Actual Results:
The expected result is for the GQL route query to return null, signifying the product is not individually visible. The actual result shows the system returning comprehensive route data, including __typename: "SimpleProduct", relative_url, and url_rewrites, confirming the URL rewrite records persist.
{
"data": {
"route": {
"__typename": "SimpleProduct",
"relative_url": "new-joust-duffle-bag.html",
"redirect_code": 301,
"type": "PRODUCT",
"sku": "24-MB01",
"url_key": "new-joust-duffle-bag",
"uid": "MQ==",
"url_rewrites": [
{
"url": "new-joust-duffle-bag.html",
"parameters": [
{
"name": "id",
"value": "1"
}
]
},
{
"url": "gear/new-joust-duffle-bag.html",
"parameters": [
{
"name": "id",
"value": "1"
},
{
"name": "category",
"value": "3"
}
]
},
{
"url": "gear/bags/new-joust-duffle-bag.html",
"parameters": [
{
"name": "id",
"value": "1"
},
{
"name": "category",
"value": "4"
}
]
}
]
}
}
}Impact and Community Response:
This bug carries a "Severity: S1" rating, indicating it "Affects critical data or functionality and forces users to employ a workaround." For merchants, this could lead to unintended indexing of hidden products by search engines, creating SEO issues like duplicate content or exposing products not meant for direct browsing. For developers, it means GQL queries cannot be reliably used to determine a product's individual visibility status, potentially breaking custom integrations or headless commerce frontends that rely on this data.
The issue has been confirmed by engcom-Bravo on the latest 2.4-develop branch, verifying its presence across recent Magento 2 versions. A Jira issue (AC-16522) has been created, indicating it's now in the official backlog for resolution. As of the current discussion, no direct workaround or solution has been provided within the GitHub thread, emphasizing the need for an official fix.
Conclusion:
This Magento 2 bug highlights a critical inconsistency between product visibility settings, the import process, URL rewrite management, and GraphQL API responses. For any e-commerce business on Magento 2, particularly those using CSV imports for product updates or leveraging GraphQL for headless architectures, this issue demands attention. While awaiting an official patch, understanding this behavior is crucial for maintaining SEO integrity and reliable data flows.