CVE-2026-25757

Name of the Vulnerable Software and Affected Versions Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2

Description Spree, an open source e-commerce solution, contains a flaw where unauthenticated users can view completed guest orders using the Order ID. This can lead to the disclosure of Personally Identifiable Information (PII) of guest users, including names, addresses, and phone numbers. The issue stems from the OrdersController#show action allowing order lookup by number without requiring the associated order token. The authorize access function does not properly enforce authorization for guest orders. An attacker with a leaked Order ID, or through brute-forcing, can access the order details via the /orders/{id} API endpoint. The Order IDs are securely generated but have relatively low entropy, potentially making brute-force attacks feasible.

Recommendations Versions prior to 5.0.8 should be updated to version 5.0.8 or later. Versions prior to 5.1.10 should be updated to version 5.1.10 or later. Versions prior to 5.2.7 should be updated to version 5.2.7 or later. Versions prior to 5.3.2 should be updated to version 5.3.2 or later.