← Back
2026-02-06 22:37CVE-2026-25757GitHub_M
PUBLISHED5.2CWE-639

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Problem type

Affected products

spree

spree

< 5.0.8 - AFFECTED

>= 5.1.0, < 5.1.10 - AFFECTED

>= 5.2.0, < 5.2.7 - AFFECTED

>= 5.3.0, < 5.3.2 - AFFECTED

References

https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9

https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9

x_refsource_CONFIRM
https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab

https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab

x_refsource_MISC
https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be

https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be

x_refsource_MISC
https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d

https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d

x_refsource_MISC
https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad

https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad

x_refsource_MISC
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14

https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14

x_refsource_MISC
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8

https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8

x_refsource_MISC
https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45

https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45

x_refsource_MISC

GitHub Security Advisories

GHSA-p6pv-q7rc-g4h9

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

https://github.com/advisories/GHSA-p6pv-q7rc-g4h9

Unauthenticated users can view completed guest orders by Order ID (GHSL-2026-029)

The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.

Order lookup without enforcing token requirement in OrdersController#show:

@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first

Authorization bypass for guest orders in authorize_access:

def authorize_access
  return true if @order.user_id.nil?

  @order.user == try_spree_current_user
end

If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)

Proof of Concept

  1. As a guest create a complete order.
  2. Fetch the latest Order ID from the database (Table: spree_orders).
  3. In another clean browser access following URL: <SPREE-HOST>/orders/<ORDER-ID>. (Sample: http://localhost:3000/orders/R496592563)

=> Full guest order details are disclosed including names, addresses and limited payment info.

Impact

This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).

CWEs

  • CWE-639: Authorization Bypass Through User-Controlled Key

Credit

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.

github.com

https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9

github.com

https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab

github.com

https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be

github.com

https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d

github.com

https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad

github.com

https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14

github.com

https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8

github.com

https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-25757

github.com

https://github.com/advisories/GHSA-p6pv-q7rc-g4h9

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-25757
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-25757",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-02-06T22:37:07.542Z",
    "dateReserved": "2026-02-05T18:35:52.357Z",
    "datePublished": "2026-02-06T22:37:07.542Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-02-06T22:37:07.542Z"
      },
      "title": "Unauthenticated Spree Commerce users can view completed guest orders by Order ID",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2."
        }
      ],
      "affected": [
        {
          "vendor": "spree",
          "product": "spree",
          "versions": [
            {
              "version": "< 5.0.8",
              "status": "affected"
            },
            {
              "version": ">= 5.1.0, < 5.1.10",
              "status": "affected"
            },
            {
              "version": ">= 5.2.0, < 5.2.7",
              "status": "affected"
            },
            {
              "version": ">= 5.3.0, < 5.3.2",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "cweId": "CWE-639",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9",
          "name": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab",
          "name": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be",
          "name": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d",
          "name": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad",
          "name": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14",
          "name": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8",
          "name": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45",
          "name": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}