CVE-2026-25757

MEDIUM

Rubygems Spree Storefront < 5.0.8 - IDOR

Title source: rule

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

References (8)

[Vendor Advisory] https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9

[Patch] https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab

[Patch] https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be

[Patch] https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d

[Patch] https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad

[Various Sources] https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14

View Writeup ZIP pw:eip

[Various Sources] https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8

[Various Sources] https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45

Scores

CVSS v3 5.3

EPSS 0.0003

EPSS Percentile 9.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

rubygems/spree_storefront 0 - 5.0.8RubyGems

spreecommerce/spree < 5.0.8

Published Feb 06, 2026

Tracked Since Feb 18, 2026