PT-2026-24637 — Craftcms/Commerce

PT-2026-24637 · Packagist · Craftcms/Commerce

Published

2026-03-10

Updated

2026-03-10

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.

Vulnerability Details

Root Cause

The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it.

// CartController.php:374-389 - actionLoadCart()
public function actionLoadCart(): ?Response
{
  $number = $this->request->getParam('number');

  if ($number === null) {
    return $this->asFailure(Craft::t('commerce', 'A cart number must be specified.'));
  }

  // No ownership check - returns any cart to any requester
  $cart = Order::find()->number($number)->isCompleted(false)->one();

  // Cart is loaded into attacker's session without authorization
  ...
}

// CartController.php:606-616 - getCart()
$orderNumber = $this->request->getBodyParam('number');
if ($orderNumber) {
  // Same issue - no ownership validation
  $cart = Order::find()->number($orderNumber)->isCompleted(false)->one();
  // Returns cart to any requester who knows the number
}

Attack Scenario

Prerequisites

Target Craft Commerce installation with active shopping carts
Knowledge of a victim’s cart number (32-character hex string)

Cart Number Acquisition Vectors

Referrer Header Leakage: Cart URLs shared externally expose the number
Browser History: Accessible on shared/compromised devices
Proxy/WAF Logs: Cart numbers logged in URL parameters
Social Engineering: Support tickets, screenshots containing cart URLs
Brute Force: While impractical for random targeting, feasible for targeted attacks against recently-created carts

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

GHSA-VFF3-PQQ8-4CPQ

Affected Products

Craftcms/Commerce