Description
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.
Published: 2026-01-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated IDOR leading to guest address disclosure
Action: Apply Patch
AI Analysis

Impact

A flaw in the Spree API allows any unauthenticated actor to read guest address information via insecure direct object references. The vulnerability is based on improper access control and falls under the CWE-639 weak authentication category. An attacker can exploit this to obtain personally identifying information about site visitors without providing credentials, which could be used for phishing or other social engineering attacks.

Affected Systems

The vulnerability affects Spree Commerce versions earlier than 4.10.2, 5.0.7, 5.1.9, and 5.2.5. Systems running any of these releases are at risk unless upgraded to the patched versions, which are 4.10.2, 5.0.7, 5.1.9, 5.2.5 or newer releases.

Risk and Exploitability

The CVSS score of 7.5 places the issue in the high severity range, though the EPSS score of less than 1% indicates a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would involve sending direct HTTP requests to the address endpoints exposed by the API, requiring no authentication or session context. The attack path is shallow and does not depend on complex prerequisites, making it easy to execute if an attacker discovers the endpoint.

Generated by OpenCVE AI on April 18, 2026 at 07:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spree versions 4.10.2, 5.0.7, 5.1.9, 5.2.5 or later, which contain the fix.
  • If an upgrade is not immediately possible, restrict unauthenticated access to the guest address API endpoints by enabling authentication checks or applying firewall rules to block non‑authenticated traffic.
  • Configure application logs to detect and alert on repeated unauthenticated access attempts to address endpoints, and review for any unauthorized data disclosures.

Generated by OpenCVE AI on April 18, 2026 at 07:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3ghg-3787-w2xr Spree API has Unauthenticated IDOR - Guest Address
History

Thu, 22 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Spreecommerce
Spreecommerce spree
CPEs cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*
Vendors & Products Spreecommerce
Spreecommerce spree

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Spree
Spree spree
Vendors & Products Spree
Spree spree

Sat, 10 Jan 2026 03:45:00 +0000

Type Values Removed Values Added
Description Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.
Title Spree API has Unauthenticated IDOR - Guest Address
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Spree Spree
Spreecommerce Spree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T17:32:46.777Z

Reserved: 2026-01-07T21:50:39.532Z

Link: CVE-2026-22589

cve-icon Vulnrichment

Updated: 2026-01-12T17:32:30.343Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T04:16:01.343

Modified: 2026-01-22T13:45:29.320

Link: CVE-2026-22589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses