CVE-2026-22589

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5

Description Spree is an open source e-commerce solution built with Ruby on Rails. An unauthenticated Insecure Direct Object Reference (IDOR) issue exists, allowing an attacker to access guest address information without valid credentials or session cookies. The issue affects the Spree API. An IDOR occurs when an application provides direct access to objects based on user-supplied input. In this case, an attacker can manipulate the input to access data belonging to other users. The vulnerable component allows access to guest address information.

Recommendations Update Spree to version 4.10.2 or later. Update Spree to version 5.0.7 or later. Update Spree to version 5.1.9 or later. Update Spree to version 5.2.5 or later.