Spree Commerce IDOR Vulnerability (CVE-2026-25758) Analysis

Critical Vulnerability Information Vulnerability Summary Type: IDOR (Insecure Direct Object References) Severity: High CVE ID: CVE-2026-25758 CWEs: CWE-284 (Improper Access Control), CWE-639 (Authorization Bypass Through User-Controlled Key) Affected Scope Affected Versions - spree_api (RubyGems): <4.10.3, <5.0.8, <5.1.10, <5.2.7, <5.3.2 Fixed Versions - spree_api (RubyGems): 4.10.3, 5.0.8, 5.1.10, 5.2.7, 5.3.2 Vulnerability Description This vulnerability exists in the guest checkout flow of Spree Commerce, allowing any guest user to bind arbitrary guest addresses to their order by manipulating the address ID parameter. This leads to unauthorized access to other guests’ personally identifiable information (PII), including name, address, and phone number. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. Vulnerability Cause Since Spree’s address IDs are sequentially numbered, attackers can easily enumerate and retrieve all guest addresses. Affected Code Components 1. Permitted Attributes File Path: - Allows and as permitted parameters without validation. 2. Checkout Update File Path: - Directly applies permitted parameters to the model’s . 3. Incomplete Ownership Validation File Path: - only validates nested attribute structure, not and fields. 4. Vulnerable Assignment Logic File Path: - The setters for and do not properly validate address ownership. Proof of Concept (PoC) Prerequisites: A guest address must exist in the Spree database. Attackers can modify a curl request script to target the current value, accessing the victim’s address and causing PII leakage. Vulnerability Impact May result in leakage of personally identifiable information (PII) for guest users, including name, address, and phone number. Disclosure Policy This report is subject to a 90-day disclosure period. For details, see Disclosure Policy.

Goal Reached Thanks to every supporter — we hit 100%!

Spree Commerce IDOR Vulnerability (CVE-2026-25758) Analysis

More from this source