Description
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Published: 2026-02-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to guest personal information through an IDOR flaw in Spree Commerce
Action: Patch
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87fh-rc96-6fr6 Unauthenticated Spree Commerce users can access all guest addresses
History

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Spreecommerce
Spreecommerce spree
CPEs cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*
Vendors & Products Spreecommerce
Spreecommerce spree
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Spree
Spree spree
Vendors & Products Spree
Spree spree

Fri, 06 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Title Spree allows unauthenticated users can access all guest addresses
Weaknesses CWE-284
CWE-639
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Spree Spree
Spreecommerce Spree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:26:51.129Z

Reserved: 2026-02-05T18:35:52.357Z

Link: CVE-2026-25758

cve-icon Vulnrichment

Updated: 2026-02-09T15:21:55.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T22:16:12.133

Modified: 2026-02-19T18:01:26.760

Link: CVE-2026-25758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses