Login Sign Up

CVE-2026-25757

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

Unauthenticated users can view completed guest orders by Order ID in Spree e-commerce platform, potentially exposing guest user PII including names, addresses, and phone numbers. This affects all Spree deployments running vulnerable versions. The vulnerability stems from insufficient access controls on guest order endpoints.

💻 Affected Systems

Products:
  • Spree e-commerce platform
Versions: All versions prior to 5.0.8, 5.1.10, 5.2.7, and 5.3.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments with guest checkout functionality enabled.

📦 What is this software?

Spree by Spreecommerce

View all CVEs affecting Spree →

Spree by Spreecommerce

View all CVEs affecting Spree →

Spree by Spreecommerce

View all CVEs affecting Spree →

Spree by Spreecommerce

View all CVEs affecting Spree →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass scraping of guest order data leading to large-scale PII exposure, identity theft, and regulatory compliance violations.

🟠

Likely Case

Targeted information gathering about specific customers, potentially enabling social engineering or phishing attacks.

🟢

If Mitigated

Limited exposure if proper network segmentation and monitoring are in place, but PII disclosure risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only knowledge of order IDs, which may be predictable or enumerable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.8, 5.1.10, 5.2.7, or 5.3.2 depending on your version line

Vendor Advisory: https://github.com/spree/spree/security/advisories

Restart Required: Yes

Instructions:

1. Identify your Spree version. 2. Update to the corresponding patched version: 5.0.x → 5.0.8, 5.1.x → 5.1.10, 5.2.x → 5.2.7, 5.3.x → 5.3.2. 3. Restart the application server. 4. Verify the fix.

🔧 Temporary Workarounds

Implement custom authentication middleware

all

Add authentication checks to guest order endpoints before patching

# Add to orders_controller.rb or middleware
before_action :authenticate_user, only: [:show]

🧯 If You Can't Patch

  • Implement WAF rules to block unauthenticated access to /orders/* endpoints
  • Disable guest checkout functionality temporarily

🔍 How to Verify

Check if Vulnerable:

Attempt to access /orders/{order_id} endpoint without authentication using a known guest order ID

Check Version:

bundle show spree | grep -o 'spree-[0-9.]*'

Verify Fix Applied:

Verify the same unauthenticated request now returns 401/403 or redirects to login

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated GET requests to /orders/* endpoints returning 200 status

Network Indicators:

  • Unusual volume of requests to order endpoints from unauthenticated sources

SIEM Query:

source="spree.log" AND (uri_path="/orders/*" OR uri_path LIKE "/orders/%") AND http_status=200 AND user_id=null

📊 Metadata

CVE ID: CVE-2026-25757
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-639
EPSS Score: 0.04% exploit probability (11.2th percentile)
Published: February 6, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25757, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)