Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored `buyRequest` is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized disclosure of private custom‑option data and cross‑user file exposure.
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the shared wishlist add‑to‑cart endpoint, which accepts a public sharing code to identify a wishlist but then loads a wishlist item only by its global ID without verifying that the item actually belongs to that wishlist. An attacker can combine a valid sharing code from one wishlist with an arbitrary item ID from another user’s wishlist, causing the victim’s private custom‑option data to be copied into the attacker’s cart. If the product contains a file custom option, the file metadata is transferred as well and can be downloaded by the attacker because the download endpoint does not enforce ownership checks.

Affected Systems

OpenMage LTS, a community‑driven fork of Magento Community Edition, is affected. Versions prior to 20.17.0 contain the flaw; the issue was addressed in the 20.17.0 release.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is classified as medium severity. No EPSS score is available and it is not included in the CISA KEV catalog, so the likelihood of widespread exploitation is uncertain. Nevertheless, the attack requires only a valid sharing code and a wishlist item ID, and can be executed with moderate effort. Successful exploitation exposes private custom‑option data to an attacker and, if a file is involved, can lead to cross‑user file disclosure.

Generated by OpenCVE AI on April 20, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenMage LTS to version 20.17.0 or later to incorporate the fix.
  • If an upgrade cannot be performed immediately, configure the application to reject shared wishlist add‑to‑cart requests where the supplied wishlist_item_id does not belong to the wishlist referenced by the sharing_code, or disable the shared wishlist feature entirely.
  • Verify that file download endpoints enforce ownership checks; if not, restrict download access to the owner of the original wishlist item or apply a patch that validates file ownership before serving the file.

Generated by OpenCVE AI on April 20, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sharing_code`, but loads the acted-on wishlist item by a separate global `wishlist_item_id` and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored `buyRequest` is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue.
Title OpenMage LTS imports cross-user wishlist item via shared wishlist code, leading to private option disclosure and file-disclosure variant
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T18:10:44.490Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40098

cve-icon Vulnrichment

Updated: 2026-04-20T18:10:40.621Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T17:16:34.543

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-40098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses