CVE-2026-31867

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.11.0 and 5.6.0

Description Craft Commerce, an ecommerce platform for Craft CMS, contains an Insecure Direct Object Reference (IDOR) issue within its cart functionality. This allows users to potentially hijack shopping carts by knowing or guessing the 32-character cart number. The CartController accepts a user-supplied number parameter to load and modify shopping carts, but performs no ownership validation. The code only verifies if the order exists and is incomplete, without checking if the requester is authorized to access it. This can lead to the takeover of shopping sessions and potential exposure of Personally Identifiable Information (PII). The issue stems from the lack of authorization checks in the actionLoadCart() and getCart() functions within the CartController. Specifically, the code retrieves carts using the Order::find()->number($number)->isCompleted(false)->one() query without verifying user permissions. Attack vectors for obtaining cart numbers include referrer header leakage, browser history access, proxy/WAF logs, social engineering, and brute-force attempts.

Recommendations Craft Commerce versions prior to 4.11.0 should be updated to version 4.11.0 or later. Craft Commerce versions prior to 5.6.0 should be updated to version 5.6.0 or later.