Vulnerability-Lookup

CVE-2026-25757 (GCVE-0-2026-25757)

Vulnerability from cvelistv5 – Published: 2026-02-06 22:37 – Updated: 2026-02-06 22:37

Title

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Summary

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Severity ?

7.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

	https://github.com/spree/spree/security/advisorie…	x_refsource_CONFIRM
	https://github.com/spree/spree/commit/3e00be64c12…	x_refsource_MISC
	https://github.com/spree/spree/commit/6b32ed7d474…	x_refsource_MISC
	https://github.com/spree/spree/commit/6f6b8a7a28a…	x_refsource_MISC
	https://github.com/spree/spree/commit/ea4a5db590c…	x_refsource_MISC
	https://github.com/spree/spree/blob/1341623f2ae92…	x_refsource_MISC
	https://github.com/spree/spree/blob/1341623f2ae92…	x_refsource_MISC
	https://github.com/spree/spree/blob/a878eb4a782ce…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	spree	spree	Affected: < 5.0.8 Affected: >= 5.1.0, < 5.1.10 Affected: >= 5.2.0, < 5.2.7 Affected: >= 5.3.0, < 5.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "spree",
          "vendor": "spree",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.1.0, \u003c 5.1.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.2.0, \u003c 5.2.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.3.0, \u003c 5.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T22:37:07.542Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9"
        },
        {
          "name": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab"
        },
        {
          "name": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be"
        },
        {
          "name": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d"
        },
        {
          "name": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad"
        },
        {
          "name": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14"
        },
        {
          "name": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8"
        },
        {
          "name": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45"
        }
      ],
      "source": {
        "advisory": "GHSA-p6pv-q7rc-g4h9",
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated Spree Commerce users can view completed guest orders by Order ID"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25757",
    "datePublished": "2026-02-06T22:37:07.542Z",
    "dateReserved": "2026-02-05T18:35:52.357Z",
    "dateUpdated": "2026-02-06T22:37:07.542Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25757\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T23:15:54.527\",\"lastModified\":\"2026-02-06T23:15:54.527\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-P6PV-Q7RC-G4H9

Vulnerability from github – Published: 2026-02-05 21:13 – Updated: 2026-02-07 00:33

Summary

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Details

Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)

The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.

Order lookup without enforcing token requirement in OrdersController#show:

@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first

Authorization bypass for guest orders in authorize_access:

def authorize_access
  return true if @order.user_id.nil?

  @order.user == try_spree_current_user
end

If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)

Proof of Concept

As a guest create a complete order.
Fetch the latest Order ID from the database (Table: spree_orders).
In another clean browser access following URL: <SPREE-HOST>/orders/<ORDER-ID>. (Sample: http://localhost:3000/orders/R496592563)

=> Full guest order details are disclosed including names, addresses and limited payment info.

Impact

This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).

CWEs

CWE-639: Authorization Bypass Through User-Controlled Key

Credit

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.

Severity ?

7.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_storefront"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_storefront"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "5.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_storefront"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_storefront"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T21:13:24Z",
    "nvd_published_at": "2026-02-06T23:15:54Z",
    "severity": "HIGH"
  },
  "details": "### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)\n\nThe `OrdersController#show` action permits viewing completed guest orders by order number alone, without requiring the associated order token.\n\nOrder lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):\n\n```ruby\n@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first\n```\n\nAuthorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):\n```ruby\ndef authorize_access\n  return true if @order.user_id.nil?\n\n  @order.user == try_spree_current_user\nend\n```\n\nIf the attacker is in possession of a leaked Order ID, they might look it up directly via this API.\nAlternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)\n\n\n#### Proof of Concept\n\n1. As a guest create a complete order.\n2. Fetch the latest Order ID from the database (Table: `spree_orders`).\n3. In another clean browser access following URL: `\u003cSPREE-HOST\u003e/orders/\u003cORDER-ID\u003e`. (Sample: `http://localhost:3000/orders/R496592563`)\n\n=\u003e Full guest order details are disclosed including names, addresses and limited payment info.\n\n#### Impact\n\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n#### CWEs\n\n- CWE-639: Authorization Bypass Through User-Controlled Key\n\n### Credit\n\nThis issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter St\u00f6ckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).\n\n### Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-p6pv-q7rc-g4h9",
  "modified": "2026-02-07T00:33:27Z",
  "published": "2026-02-05T21:13:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spree/spree"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unauthenticated Spree Commerce users can view completed guest orders by Order ID"
}

FKIE_CVE-2026-25757

Vulnerability from fkie_nvd - Published: 2026-02-06 23:15 - Updated: 2026-02-06 23:15

Severity ?

7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
	security-advisories@github.com	https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
	security-advisories@github.com	https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
	security-advisories@github.com	https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
	security-advisories@github.com	https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
	security-advisories@github.com	https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d
	security-advisories@github.com	https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad
	security-advisories@github.com	https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2."
    }
  ],
  "id": "CVE-2026-25757",
  "lastModified": "2026-02-06T23:15:54.527",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-06T23:15:54.527",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25757 (GCVE-0-2026-25757)

GHSA-P6PV-Q7RC-G4H9

Unauthenticated users can view completed guest orders by Order ID (GHSL-2026-029)

Proof of Concept

Impact

CWEs

Credit

Disclosure Policy

FKIE_CVE-2026-25757

Tags

Sightings

Nomenclature

Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)