CVE-2026-22589

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795	Patch
https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad	Patch
https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67	Patch
https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad	Patch
https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr	Vendor Advisory Exploit
https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:spreecommerce:spree::::::::
	cpe:2.3:a:spreecommerce:spree::::::::
	cpe:2.3:a:spreecommerce:spree::::::::
	cpe:2.3:a:spreecommerce:spree::::::::

History

No history.

Information

Published : 2026-01-10 04:16

Updated : 2026-01-22 13:45

NVD link : CVE-2026-22589

Mitre link : CVE-2026-22589

CVE.ORG link : CVE-2026-22589

JSON object : View

Products Affected

spreecommerce

spree

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-22589", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-01-10T04:16:01.343", "references": [{"url": "https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr", "tags": ["Vendor Advisory", "Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5."}], "lastModified": "2026-01-22T13:45:29.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B265915C-3AA8-4B6C-9794-DA08F6359D31", "versionEndExcluding": "4.10.2"}, {"criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6C152A8-FCA5-4420-A138-E09B27970EE4", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54EEC933-938E-404B-A87B-3771931D5E23", "versionEndExcluding": "5.1.9", "versionStartIncluding": "5.1.0"}, {"criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C6D055D-A9A8-46E1-A16C-FE17B66E800B", "versionEndExcluding": "5.2.5", "versionStartIncluding": "5.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}