CVE-2026-25758
Published: 06 February 2026
Summary
CVE-2026-25758 is a high-severity Improper Access Control (CWE-284) vulnerability in Spreecommerce Spree. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25758 is a critical Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key), affecting Spree Commerce, an open-source e-commerce platform built on Ruby on Rails. The flaw resides in the guest checkout flow, where attackers can manipulate address ID parameters to bind arbitrary guest addresses to their own order. This bypasses ownership validation checks, exposing other users' personally identifiable information (PII) such as names, addresses, and phone numbers. The issue impacts all guest checkout transactions and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any unauthenticated guest user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By altering address ID parameters during checkout, an attacker can associate another guest's address with their order, gaining unauthorized read access to sensitive PII from prior transactions. This enables broad data harvesting across affected deployments without privileges or special conditions.
Mitigation is available through patches in Spree versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2, as detailed in the fix commit at https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734. Relevant code changes address the validation logic in files like core/app/models/spree/order/address_book.rb, core/app/models/spree/order/checkout.rb, core/app/services/spree/checkout/update.rb, and core/lib/spree/permitted_attributes.rb. Security practitioners should upgrade immediately and review guest checkout configurations for parameter tampering risks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5563
Vulnerability details
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID…
more
parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing Spree Commerce guest checkout enables unauthenticated remote parameter manipulation to bypass authorization and access PII, directly matching exploitation of public-facing web applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for accessing guest addresses, directly preventing IDOR exploitation by validating ownership before binding to orders.
SI-10 validates user-supplied address ID parameters at input points, blocking manipulation attempts that bypass ownership checks in guest checkout.
AC-16 associates security attributes such as owner identifiers with guest addresses, supporting enforcement mechanisms to restrict unauthorized access via IDOR.