Home

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

PUBLISHED Reserved 2026-01-07 | Published 2026-01-10 | Updated 2026-01-12 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

>= 5.2.0, < 5.2.5
affected

>= 5.1.0, < 5.1.9
affected

>= 5.0.0, < 5.0.7
affected

< 4.10.2
affected

References

github.com/.../spree/security/advisories/GHSA-3ghg-3787-w2xr exploit

github.com/.../spree/security/advisories/GHSA-3ghg-3787-w2xr

github.com/...ommit/16067def6de8e0742d55313e83b0fbab6d2fd795

github.com/...ommit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad

github.com/...ommit/d051925778f24436b62fa8e4a6b842c72ca80a67

github.com/...ommit/e1cff4605eb15472904602aebaf8f2d04852d6ad

cve.org (CVE-2026-22589)

nvd.nist.gov (CVE-2026-22589)

Download JSON