Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
Published: 2026-03-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Cart Access and PII Exposure
Action: Patch Now
AI Analysis

Impact

This vulnerability is an Insecure Direct Object Reference in Craft Commerce’s cart functionality. The CartController accepts a user-supplied 32-character cart number and loads the corresponding cart without verifying ownership. As a result, an attacker who knows or can guess a cart ID can hijack that session, modify the cart contents, and potentially access or expose personally identifiable information. The weakness is classified as CWE‑639, an Information Exposure through IDOR.

Affected Systems

The flaw is present in all versions of CraftCommerce before 4.11.0 and 5.6.0. The affected product is CraftCMS:Commerce, which is identified in the CPE as cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*. Any deployment running one of the affected versions is vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% shows a low likelihood of automated exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited publicly. Attackers gain access by sending a crafted HTTP request containing a cart number; no additional authentication is required beyond knowing or guessing a valid ID. The risk is therefore moderate due to the potential for PII exposure and the straightforward exploitation path, but it is tempered by the low probability of exploitation and lack of widespread advisories.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Craft Commerce to version 4.11.0 or later, or version 5.6.0 or later.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vff3-pqq8-4cpq Craft Commerce: Potential IDOR in Commerce carts
History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
Title Craft Commerce has a Potential IDOR in Commerce carts
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T13:49:48.940Z

Reserved: 2026-03-09T19:02:25.013Z

Link: CVE-2026-31867

cve-icon Vulnrichment

Updated: 2026-03-12T13:49:44.539Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:25.663

Modified: 2026-03-17T14:02:48.043

Link: CVE-2026-31867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:07Z

Weaknesses