CVE-2026-25758
Published: 06 February 2026
Summary
CVE-2026-25758 is a high-severity Improper Access Control (CWE-284) vulnerability in Spreecommerce Spree. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensuring access control decisions are made and applied to every request before enforcement directly prevents improper access control by requiring policy-based checks.
Enforcing approved authorizations directly implements access control policies to block unauthorized access.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing Spree Commerce guest checkout enables unauthenticated remote parameter manipulation to bypass authorization and access PII, directly matching exploitation of public-facing web applications.
NVD Description
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID…
more
parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Deeper analysisAI
CVE-2026-25758 is a critical Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key), affecting Spree Commerce, an open-source e-commerce platform built on Ruby on Rails. The flaw resides in the guest checkout flow, where attackers can manipulate address ID parameters to bind arbitrary guest addresses to their own order. This bypasses ownership validation checks, exposing other users' personally identifiable information (PII) such as names, addresses, and phone numbers. The issue impacts all guest checkout transactions and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any unauthenticated guest user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By altering address ID parameters during checkout, an attacker can associate another guest's address with their order, gaining unauthorized read access to sensitive PII from prior transactions. This enables broad data harvesting across affected deployments without privileges or special conditions.
Mitigation is available through patches in Spree versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2, as detailed in the fix commit at https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734. Relevant code changes address the validation logic in files like core/app/models/spree/order/address_book.rb, core/app/models/spree/order/checkout.rb, core/app/services/spree/checkout/update.rb, and core/lib/spree/permitted_attributes.rb. Security practitioners should upgrade immediately and review guest checkout configurations for parameter tampering risks.
Details
- CWE(s)