CVE-2026-32270 Overview
CVE-2026-32270 is an information disclosure vulnerability in Craft Commerce, an ecommerce platform for Craft CMS. The vulnerability exists in the PaymentsController::actionPay method, which discloses sensitive order data to unauthenticated users when an order number is provided and the email validation check fails during anonymous payment processing.
When an attacker provides an order number during the payment flow, the application retrieves the order before proper authorization is enforced. If the email check fails, the JSON error response includes a serialized order object containing sensitive customer information such as email addresses, shipping addresses, and billing addresses.
Critical Impact
Unauthenticated attackers can extract customer personally identifiable information (PII) including email addresses and physical addresses by exploiting the improper authorization flow in the payment controller.
Affected Products
- Craft Commerce versions 4.0.0 through 4.10.2
- Craft Commerce versions 5.0.0 through 5.5.4
Discovery Timeline
- April 13, 2026 - CVE-2026-32270 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-32270
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw occurs in the frontend payment flow where the actionPay() method retrieves orders by their order number before authorization is fully enforced. This sequence allows unauthenticated users to trigger information disclosure by manipulating payment requests.
The vulnerability is network-accessible and requires no privileges to exploit, though successful exploitation requires the attacker to know or guess valid order numbers. The information disclosed includes customer email addresses, shipping addresses, and billing addresses—all of which constitute personally identifiable information (PII) that could be leveraged for phishing attacks, identity theft, or further targeted attacks against customers.
Root Cause
The root cause is an authorization bypass in the payment processing flow. The PaymentsController::actionPay method loads the order object by number before validating whether the requester has proper authorization to access that order's data. When the email verification fails, instead of returning a generic error, the application returns a detailed JSON response containing the fully serialized order object with all its sensitive fields intact.
Attack Vector
The attack vector is network-based, targeting the payment endpoint. An attacker can exploit this vulnerability by sending crafted payment requests to the Craft Commerce application with guessed or enumerated order numbers. When the email validation fails, the error response leaks the order data. This attack requires no authentication and can be performed remotely.
The exploitation flow works as follows: An attacker submits a payment request with a valid order number but an incorrect or missing email address. The application loads the order to verify the email, but before the authorization check completes, it includes the order data in the error response when the email validation fails.
Detection Methods for CVE-2026-32270
Indicators of Compromise
- Unusual volume of failed payment attempts with varying order numbers from single IP addresses
- Error responses from payment endpoints containing serialized order objects with customer PII
- Repeated requests to the payment action endpoint with invalid or missing email parameters
- Access logs showing systematic enumeration patterns targeting the payment controller
Detection Strategies
- Monitor web application firewall (WAF) logs for repeated failed payment requests from the same source
- Implement rate limiting on payment endpoints and alert on threshold violations
- Review application logs for error responses that include serialized order data
- Analyze network traffic for patterns consistent with order number enumeration attacks
Monitoring Recommendations
- Configure alerting for anomalous payment endpoint error rates
- Enable detailed logging on the PaymentsController::actionPay method to track failed authorization attempts
- Implement honeypot order numbers to detect active exploitation attempts
- Monitor for data exfiltration patterns in outbound responses from payment endpoints
How to Mitigate CVE-2026-32270
Immediate Actions Required
- Upgrade Craft Commerce version 4.x installations to version 4.11.0 or later
- Upgrade Craft Commerce version 5.x installations to version 5.6.0 or later
- Review application logs for evidence of prior exploitation attempts
- Implement rate limiting on payment endpoints as a temporary protective measure
Patch Information
The vulnerability has been fixed in Craft Commerce versions 4.11.0 and 5.6.0. The patch ensures that authorization checks are properly enforced before order data is loaded and prevents sensitive order information from being included in error responses.
For detailed patch information, refer to the GitHub Commit Update. The fixed versions are available at GitHub Release Version 4.11.0 and GitHub Release Version 5.6.0. Additional details are available in the GitHub Security Advisory GHSA-3vxg-x5f8-f5qf.
Workarounds
- Implement Web Application Firewall (WAF) rules to filter or block requests that appear to be probing the payment endpoint
- Add rate limiting on the payment controller to slow down enumeration attempts
- Consider temporarily disabling anonymous payments until the patch can be applied
- Implement additional server-side logging to detect and respond to exploitation attempts
# Example Composer upgrade command for Craft Commerce
composer require craftcms/commerce:^4.11.0
# Or for version 5.x
composer require craftcms/commerce:^5.6.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
