CVE-2026-25757 Overview
CVE-2026-25757 is a critical Insecure Direct Object Reference (IDOR) vulnerability in Spree, an open source e-commerce solution built with Ruby on Rails. This vulnerability allows unauthenticated users to view completed guest orders by simply knowing or guessing the Order ID, leading to unauthorized disclosure of personally identifiable information (PII) belonging to guest users.
The vulnerability exists in the orders controller where insufficient authorization checks allow direct access to order details without proper authentication. This represents a significant privacy concern for e-commerce platforms running vulnerable Spree versions, as attackers can enumerate order IDs to harvest customer data including names, addresses, and phone numbers.
Critical Impact
Unauthenticated attackers can access guest order data containing PII (names, addresses, phone numbers) by enumerating Order IDs, potentially affecting all guest customers who have completed orders on affected Spree installations.
Affected Products
- Spree versions prior to 5.0.8
- Spree versions prior to 5.1.10
- Spree versions prior to 5.2.7
- Spree versions prior to 5.3.2
Discovery Timeline
- 2026-02-06 - CVE-2026-25757 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25757
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, commonly known as an Insecure Direct Object Reference (IDOR). The flaw exists in the orders_controller.rb where the show action fails to properly validate that the requesting user has authorization to view the requested order.
In the vulnerable implementation, the controller retrieves order information based on the Order ID provided in the request parameters but does not enforce proper access controls. While the code checks if an order exists and performs some form of authorization via an authorize_access method, this check was insufficient to prevent unauthorized access to guest orders.
The order number generator in Spree creates predictable order identifiers, making enumeration attacks feasible. An attacker can iterate through order numbers and successfully retrieve order details for any completed guest order without authentication.
Root Cause
The root cause lies in the inadequate authorization logic within the Spree::OrdersController#show action. The original code performed a combined check using @order.blank? || !authorize_access, but this approach failed to properly enforce authorization through the CanCan authorization framework. The vulnerability allowed requests without proper authentication tokens to bypass access controls and retrieve sensitive order information.
Additionally, the order_status_controller.rb had a related issue where it only checked for blank order numbers but did not require email verification, allowing attackers to look up orders without the associated email address.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying the pattern of order IDs used by the target Spree installation
- Crafting HTTP GET requests to /orders/:id endpoints with enumerated order IDs
- Receiving order details including customer PII without any authentication
# Security patch in storefront/app/controllers/spree/orders_controller.rb
# Source: https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
before_action :assign_order_with_lock, only: :update
+ rescue_from CanCan::AccessDenied do |exception|
+ raise ActiveRecord::RecordNotFound
+ end
+
# GET /orders/:id
def show
@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first
- raise ActiveRecord::RecordNotFound if @order.blank? || !authorize_access
+ raise ActiveRecord::RecordNotFound if @order.blank?
+
+ authorize! :show, @order, params[:token]
@shipments = @order.shipments.includes(:stock_location, :address, selected_shipping_rate: :shipping_method, inventory_units: :line_item)
end
The patch introduces proper CanCan authorization with authorize! :show, @order, params[:token], ensuring that only users with valid tokens can access order information.
Detection Methods for CVE-2026-25757
Indicators of Compromise
- Unusual volume of GET requests to /orders/* endpoints from single IP addresses or user agents
- Sequential or patterned order ID access attempts in web server logs
- Access to order endpoints without corresponding session cookies or authentication tokens
- Rapid enumeration of order IDs in access logs showing 200 OK responses
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block order ID enumeration attempts
- Configure rate limiting on /orders/* endpoints to prevent high-volume enumeration attacks
- Enable detailed access logging for order-related endpoints and monitor for suspicious patterns
- Deploy anomaly detection to identify unusual access patterns to customer data endpoints
Monitoring Recommendations
- Monitor application logs for order lookups without associated authentication tokens
- Set up alerts for high-frequency access to order endpoints from single sources
- Review access patterns to identify potential data harvesting activities
- Implement real-time monitoring for unusual geographic access patterns to order data
How to Mitigate CVE-2026-25757
Immediate Actions Required
- Upgrade Spree to patched versions: 5.0.8, 5.1.10, 5.2.7, or 5.3.2 immediately
- Review access logs to identify potential exploitation attempts prior to patching
- Notify affected customers if unauthorized access to their order data is suspected
- Implement additional access controls at the network or WAF level as a defense-in-depth measure
Patch Information
Security patches have been released across all supported Spree version branches. The fixes implement proper CanCan authorization checks and require both order number and email for order status lookups. Apply the appropriate patch based on your Spree version:
| Version Branch | Patched Version | Commit Reference |
|---|---|---|
| 5.0.x | 5.0.8 | ea4a5db5 |
| 5.1.x | 5.1.10 | 6f6b8a7a |
| 5.2.x | 5.2.7 | 6b32ed7d |
| 5.3.x | 5.3.2 | 3e00be64 |
For additional details, refer to the GitHub Security Advisory GHSA-p6pv-q7rc-g4h9.
Workarounds
- Implement WAF rules to require authentication for all /orders/* endpoints until patching is possible
- Add rate limiting at the reverse proxy or load balancer level to slow enumeration attempts
- Temporarily disable guest checkout functionality if exposure of guest order data is a critical concern
- Deploy network-level access controls to restrict order endpoint access to known IP ranges
# Temporary workaround: Add email requirement to order status controller
# In storefront/app/controllers/spree/order_status_controller.rb
def create
raise ActiveRecord::RecordNotFound if params[:number].blank? || params[:email].blank?
@order = order_finder.new(number: params[:number], email: params[:email], store: current_store).execute.first
# ... rest of implementation
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
