CVE-2026-22588

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5

Description Spree is an open source e-commerce solution built with Ruby on Rails. An Authenticated Insecure Direct Object Reference (IDOR) issue exists that allows an authenticated user to access address information belonging to other users. This occurs by modifying an existing order and manipulating address identifiers within the request. The backend server incorrectly processes these references, associating addresses from other users with the attacker’s order and returning them in the response. The issue involves manipulating address identifiers in a request to access data from other users.

Recommendations Update Spree to version 4.10.2 or later. Update Spree to version 5.0.7 or later. Update Spree to version 5.1.9 or later. Update Spree to version 5.2.5 or later.