Description
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Published: 2026-02-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: PII disclosure
Action: Patch
AI Analysis

Impact

Unauthenticated users can retrieve any completed guest order by providing its Order ID to the Spree Orders controller. The vulnerability arises because the controller does not enforce authentication or access checks for these orders, allowing disclosure of personally identifiable information such as names, addresses, and phone numbers. The weakness corresponds to CWE-639, Information Exposure from Public Endpoints. The likely attack vector is an HTTP request to the order endpoint, which the controller currently serves without requiring login or permission checks.

Affected Systems

Spree Commerce versions prior to 5.0.8, 5.1.10, 5.2.7, and 5.3.2 expose this flaw. Those releases allow any user to view guest order details because the Orders controller and number generator lack proper authorization safeguards.

Risk and Exploitability

The CVSS score of 7.7 signals high confidentiality impact, while the EPSS score of <1% indicates a low probability of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog, implying no large‑scale exploitation campaigns are known. Nevertheless, the flaw can be exploited trivially by guessing or enumerating order identifiers, potentially exposing dozens or hundreds of guest orders to unauthenticated parties.

Generated by OpenCVE AI on April 17, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spree Commerce to at least version 5.0.8 (or the corresponding patched releases 5.1.10, 5.2.7, 5.3.2).
  • Ensure that the orders API requires authentication or at least restricts access to the owner’s own orders.
  • Obfuscate or randomize order identifiers to mitigate straightforward enumeration attacks.

Generated by OpenCVE AI on April 17, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p6pv-q7rc-g4h9 Unauthenticated Spree Commerce users can view completed guest orders by Order ID
History

Mon, 23 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Spreecommerce
Spreecommerce spree
CPEs cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*
Vendors & Products Spreecommerce
Spreecommerce spree
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Spree
Spree spree
Vendors & Products Spree
Spree spree

Fri, 06 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Title Unauthenticated Spree Commerce users can view completed guest orders by Order ID
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Spree Spree
Spreecommerce Spree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:26:28.967Z

Reserved: 2026-02-05T18:35:52.357Z

Link: CVE-2026-25757

cve-icon Vulnrichment

Updated: 2026-02-09T15:21:53.488Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T23:15:54.527

Modified: 2026-02-23T17:40:58.347

Link: CVE-2026-25757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses