GHSA-P6PV-Q7RC-G4H9
Vulnerability from github – Published: 2026-02-05 21:13 – Updated: 2026-02-07 00:33
VLAI?
Summary
Unauthenticated Spree Commerce users can view completed guest orders by Order ID
Details
Unauthenticated users can view completed guest orders by Order ID (GHSL-2026-029)
The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.
Order lookup without enforcing token requirement in OrdersController#show:
@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first
Authorization bypass for guest orders in authorize_access:
def authorize_access
return true if @order.user_id.nil?
@order.user == try_spree_current_user
end
If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)
Proof of Concept
- As a guest create a complete order.
- Fetch the latest Order ID from the database (Table:
spree_orders). - In another clean browser access following URL:
<SPREE-HOST>/orders/<ORDER-ID>. (Sample:http://localhost:3000/orders/R496592563)
=> Full guest order details are disclosed including names, addresses and limited payment info.
Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
CWEs
- CWE-639: Authorization Bypass Through User-Controlled Key
Credit
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25757"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T21:13:24Z",
"nvd_published_at": "2026-02-06T23:15:54Z",
"severity": "HIGH"
},
"details": "### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)\n\nThe `OrdersController#show` action permits viewing completed guest orders by order number alone, without requiring the associated order token.\n\nOrder lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):\n\n```ruby\n@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first\n```\n\nAuthorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):\n```ruby\ndef authorize_access\n return true if @order.user_id.nil?\n\n @order.user == try_spree_current_user\nend\n```\n\nIf the attacker is in possession of a leaked Order ID, they might look it up directly via this API.\nAlternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)\n\n\n#### Proof of Concept\n\n1. As a guest create a complete order.\n2. Fetch the latest Order ID from the database (Table: `spree_orders`).\n3. In another clean browser access following URL: `\u003cSPREE-HOST\u003e/orders/\u003cORDER-ID\u003e`. (Sample: `http://localhost:3000/orders/R496592563`)\n\n=\u003e Full guest order details are disclosed including names, addresses and limited payment info.\n\n#### Impact\n\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n#### CWEs\n\n- CWE-639: Authorization Bypass Through User-Controlled Key\n\n### Credit\n\nThis issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter St\u00f6ckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).\n\n### Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
"id": "GHSA-p6pv-q7rc-g4h9",
"modified": "2026-02-07T00:33:27Z",
"published": "2026-02-05T21:13:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25757"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad"
},
{
"type": "PACKAGE",
"url": "https://github.com/spree/spree"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Unauthenticated Spree Commerce users can view completed guest orders by Order ID"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…