CVE-2026-31867 Overview
An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Craft Commerce, the ecommerce platform for Craft CMS. Prior to versions 4.11.0 and 5.6.0, the cart functionality allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts without performing ownership validation, creating a significant authorization bypass issue.
Critical Impact
This vulnerability enables unauthorized takeover of shopping sessions and potential exposure of personally identifiable information (PII), including customer addresses, payment details, and order contents.
Affected Products
- Craft Commerce versions prior to 4.11.0
- Craft Commerce versions prior to 5.6.0
- Craft CMS installations using vulnerable Craft Commerce plugin versions
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-31867 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31867
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The core issue stems from the CartController component accepting a user-supplied number parameter to load and modify shopping carts. The controller only verifies that the order exists and is in an incomplete state, but critically fails to validate whether the requesting user has authorization to access that specific cart.
The 32-character cart number serves as the sole identifier for cart access. While the entropy of a 32-character identifier might appear sufficient, the lack of any ownership binding means that any user who obtains or guesses a valid cart number can fully access and manipulate that shopping session.
Root Cause
The root cause is a missing authorization check in the cart loading mechanism. The application implements object-level access using a predictable or obtainable identifier without verifying that the authenticated (or anonymous) user making the request is the legitimate owner of the cart session. This represents a classic IDOR pattern where the application trusts user-supplied object references without proper access control validation.
Attack Vector
The attack vector is network-based, requiring an attacker to identify or enumerate valid 32-character cart numbers. Once a valid cart number is obtained, an attacker can:
- Access the victim's cart contents and view items being purchased
- Modify cart contents by adding, removing, or changing item quantities
- Extract PII associated with the cart, including shipping addresses and contact information
- Potentially complete purchases using stored payment information or redirect orders to attacker-controlled addresses
The vulnerability does not require authentication, as the cart number alone provides full access. Attackers could potentially obtain cart numbers through various means including referrer headers, shared URLs, browser history access, or brute-force enumeration if rate limiting is not implemented.
Detection Methods for CVE-2026-31867
Indicators of Compromise
- Unusual patterns of cart access from different IP addresses or user agents for the same cart number
- Rapid sequential requests to cart endpoints with incrementing or varied cart number parameters
- Cart modifications occurring from geographic locations inconsistent with the original session
- Customer complaints about cart contents changing unexpectedly or orders being hijacked
Detection Strategies
- Implement logging and monitoring for cart access patterns, flagging when the same cart is accessed from multiple distinct sessions
- Deploy web application firewall (WAF) rules to detect enumeration attempts against cart endpoints
- Monitor for anomalous request patterns to /cart or CartController endpoints with varying number parameters
- Correlate cart access logs with session identifiers to detect cross-session cart access attempts
Monitoring Recommendations
- Enable detailed access logging for all cart-related controller actions
- Set up alerts for high-frequency cart endpoint requests from single IP addresses
- Monitor for cart hijacking indicators such as sudden changes in shipping addresses after cart population
- Review access logs for patterns indicating automated cart number enumeration
How to Mitigate CVE-2026-31867
Immediate Actions Required
- Upgrade Craft Commerce to version 4.11.0 or 5.6.0 or later immediately
- Review recent cart and order activity for signs of unauthorized access or manipulation
- Notify affected customers if any unauthorized cart access is detected
- Consider invalidating all current cart sessions and requiring customers to rebuild carts after applying the patch
Patch Information
The vulnerability has been fixed in Craft Commerce versions 4.11.0 and 5.6.0. The fix implements proper ownership validation to ensure that only the legitimate owner of a cart can access and modify it. Organizations should upgrade to these versions or later as soon as possible.
For technical details on the fix, refer to the GitHub Pull Request and the GitHub Security Advisory.
Workarounds
- Implement additional rate limiting on cart endpoints to slow enumeration attempts
- Add custom middleware to validate cart ownership against session or user identifiers before processing cart requests
- Consider adding IP-based session binding for cart access as a defense-in-depth measure
- Deploy a WAF with rules to block suspicious patterns of cart access requests
If immediate patching is not possible, organizations should implement these workarounds while planning an expedited upgrade path. However, upgrading to the patched versions remains the only complete remediation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
