Cyber Resilience

CVE-2026-25758

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25758 is a high-severity Improper Access Control (CWE-284) vulnerability in Spreecommerce Spree. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25758 is a critical Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key), affecting Spree Commerce, an open-source e-commerce platform built on Ruby on Rails. The flaw resides in the guest checkout flow, where attackers can manipulate address ID parameters to bind arbitrary guest addresses to their own order. This bypasses ownership validation checks, exposing other users' personally identifiable information (PII) such as names, addresses, and phone numbers. The issue impacts all guest checkout transactions and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Any unauthenticated guest user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By altering address ID parameters during checkout, an attacker can associate another guest's address with their order, gaining unauthorized read access to sensitive PII from prior transactions. This enables broad data harvesting across affected deployments without privileges or special conditions.

Mitigation is available through patches in Spree versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2, as detailed in the fix commit at https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734. Relevant code changes address the validation logic in files like core/app/models/spree/order/address_book.rb, core/app/models/spree/order/checkout.rb, core/app/services/spree/checkout/update.rb, and core/lib/spree/permitted_attributes.rb. Security practitioners should upgrade immediately and review guest checkout configurations for parameter tampering risks.

EU & UK References

Vulnerability details

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID…

more

parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR in public-facing Spree Commerce guest checkout enables unauthenticated remote parameter manipulation to bypass authorization and access PII, directly matching exploitation of public-facing web applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22589Same product: Spreecommerce Spree
CVE-2011-10026Same product: Spreecommerce Spree
CVE-2011-10019Same product: Spreecommerce Spree
CVE-2026-20897Shared CWE-284, CWE-639
CVE-2025-62166Shared CWE-284, CWE-639
CVE-2026-21447Shared CWE-284, CWE-639
CVE-2026-20912Shared CWE-284, CWE-639
CVE-2026-27449Shared CWE-284, CWE-639
CVE-2026-39339Shared CWE-284
CVE-2026-41471Shared CWE-639

Affected Assets

spreecommerce
spree
≤ 4.10.3 · 5.0.0 — 5.0.8 · 5.1.0 — 5.1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for accessing guest addresses, directly preventing IDOR exploitation by validating ownership before binding to orders.

prevent

SI-10 validates user-supplied address ID parameters at input points, blocking manipulation attempts that bypass ownership checks in guest checkout.

prevent

AC-16 associates security attributes such as owner identifiers with guest addresses, supporting enforcement mechanisms to restrict unauthorized access via IDOR.

References