CVE-2026-32270

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.11.0 Craft Commerce versions prior to 5.6.0

Description The actionPay() function in the 'PaymentsController' discloses order data to unauthenticated users. This occurs when an order number is provided and the email check fails during an anonymous payment. The resulting JSON error response contains the serialized order object order, which includes sensitive information such as customer email, shipping address, and billing address. This happens because the actionPay() function retrieves orders by number before authorization is fully enforced.

Recommendations Update to version 4.11.0 for versions prior to 4.11.0. Update to version 5.6.0 for versions prior to 5.6.0. As a temporary workaround, consider restricting access to the actionPay() function.