Description
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Published: 2026-02-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to guest personal information through an IDOR flaw in Spree Commerce
Action: Patch
AI Analysis

Impact

An IDOR flaw in Spree Commerce’s guest checkout flow lets unauthenticated users bind arbitrary guest addresses to their order by tampering with address‑ID parameters. This bypasses ownership validation checks, exposing personally identifiable information such as names, addresses, and phone numbers of other guests.

Affected Systems

The vulnerability affects all Spree Commerce installations running a version older than 4.10.3, 5.0.8, 5.1.10, 5.2.7, or 5.3.2. Because Spree is an open‑source e‑commerce platform built on Ruby on Rails, the flaw is present in every derived instance that has not applied the patch.

Risk and Exploitability

With a CVSS score of 7.7, the flaw is classified as high severity, but the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, signifying a low exploitation probability under current conditions. Likely exploitation requires only a simple URL manipulation by an unauthenticated guest user, making the attack vector straightforward and requiring no privileged access. Nevertheless, any attacker can obtain another guest’s PII, posing privacy and compliance risks.

Generated by OpenCVE AI on April 17, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spree to version 4.10.3 or newer (including 5.0.8, 5.1.10, 5.2.7, or 5.3.2) to apply the vendor patch that fixes the IDOR.
  • If an upgrade is not immediately possible, disable the ability for guest users to bind addresses to orders through configuration or custom code changes.
  • Continuously monitor order activity logs for anomalous address binding attempts and review guest checkout flows for unvalidated parameters.

Generated by OpenCVE AI on April 17, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87fh-rc96-6fr6 Unauthenticated Spree Commerce users can access all guest addresses
History

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Spreecommerce
Spreecommerce spree
CPEs cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*
Vendors & Products Spreecommerce
Spreecommerce spree
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Spree
Spree spree
Vendors & Products Spree
Spree spree

Fri, 06 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Title Spree allows unauthenticated users can access all guest addresses
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Spree Spree
Spreecommerce Spree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:26:51.129Z

Reserved: 2026-02-05T18:35:52.357Z

Link: CVE-2026-25758

cve-icon Vulnrichment

Updated: 2026-02-09T15:21:55.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T22:16:12.133

Modified: 2026-02-19T18:01:26.760

Link: CVE-2026-25758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses