CVE-2026-40098

Name of the Vulnerable Software and Affected Versions Magento Long Term Support (LTS) versions prior to 20.17.0

Description The shared wishlist add-to-cart endpoint authorizes access using a public sharing code but loads the target wishlist item via a separate global wishlist item id without verifying that the item belongs to the wishlist associated with that code. This allows an attacker to use a valid shared wishlist code for one wishlist and a wishlist item ID from a victim's wishlist to import the victim's item into the attacker's cart. Because the victim item's stored buyRequest is reused, private custom-option data is copied into the attacker's quote. If the product utilizes a file custom option, this can lead to cross-user file disclosure as the imported file metadata is preserved and the download endpoint does not verify ownership.

Technical details include the following:

Recommendations Update to version 20.17.0. As a temporary workaround, restrict access to the '/wishlist/shared/cart/' endpoint to minimize the risk of exploitation.