CVE-2026-39079 Overview
CVE-2026-39079 is an information disclosure vulnerability affecting the PrestaShop upsshipping module across all versions up to and including 2.4.0. The flaw exists in the /modules/upsshipping/logs/ directory and the /modules/upsshipping/lib/UPSBaseApi.php component. A remote unauthenticated attacker can access these endpoints over the network to retrieve sensitive information without user interaction. The vulnerability is categorized under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. PrestaShop merchants using the UPS shipping integration are exposed to data leakage that may include API credentials, transaction logs, and customer shipping data.
Critical Impact
Unauthenticated remote attackers can retrieve sensitive log data and configuration details from affected PrestaShop stores using the upsshipping module.
Affected Products
- PrestaShop upsshipping module — all versions through at least 2.4.0
- /modules/upsshipping/logs/ log directory
- /modules/upsshipping/lib/UPSBaseApi.php API helper component
Discovery Timeline
- 2026-05-18 - CVE-2026-39079 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-39079
Vulnerability Analysis
The vulnerability stems from improper access control on resources within the PrestaShop upsshipping module. Two specific paths leak sensitive data to unauthenticated remote requests. The /modules/upsshipping/logs/ directory exposes log files generated by the module's runtime operations. These logs typically include API request and response data, shipping label generation events, and diagnostic output. The /modules/upsshipping/lib/UPSBaseApi.php file is a PHP library that should not be directly accessible through the web server. Direct access reveals source code, internal API logic, and potentially embedded configuration data.
Root Cause
The module fails to restrict direct HTTP access to internal files and log storage. PrestaShop modules conventionally include an index.php stub or .htaccess rules to prevent directory listing and direct file retrieval. The upsshipping module omits these protections for the affected paths. Attackers reach the resources without authentication because no access control check is performed at the module level.
Attack Vector
An attacker identifies a PrestaShop store running the vulnerable upsshipping module and issues HTTP GET requests directly to the exposed paths. Log enumeration may reveal UPS API keys, account numbers, customer addresses, and order identifiers logged during shipping operations. Retrieval of UPSBaseApi.php exposes the source code of the API integration. Refer to the Esokia CVE-2026-39079 Analysis for path-level details.
Detection Methods for CVE-2026-39079
Indicators of Compromise
- HTTP GET requests targeting /modules/upsshipping/logs/ from external IP addresses
- Direct requests to /modules/upsshipping/lib/UPSBaseApi.php returning HTTP 200 responses
- Web server access logs showing enumeration of .log or .txt files under the module directory
- Unusual outbound traffic to UPS API endpoints following exposure of leaked credentials
Detection Strategies
- Review web server access logs for any successful requests to module subdirectories that should not be web-accessible
- Run authenticated and unauthenticated crawls of the PrestaShop installation to enumerate exposed module paths
- Compare the file listing returned by direct requests against expected module file inventory
Monitoring Recommendations
- Alert on HTTP 200 responses for requests matching /modules/*/logs/* patterns
- Monitor for unexpected access patterns to .php files inside lib/ directories of PrestaShop modules
- Track UPS API account activity for anomalous shipping label generation that may indicate credential abuse
How to Mitigate CVE-2026-39079
Immediate Actions Required
- Audit the installed version of the PrestaShop upsshipping module and identify whether it is exposed publicly
- Block direct HTTP access to /modules/upsshipping/logs/ and /modules/upsshipping/lib/ at the web server or WAF layer
- Rotate any UPS API credentials, account numbers, and access keys configured in the module
- Review existing log files for sensitive data and remove or relocate them outside the web root
Patch Information
No official patched version is referenced in the NVD entry at the time of publication. Affected installations should monitor the module vendor for a fixed release and consult the Esokia CVE-2026-39079 Analysis for current remediation guidance.
Workarounds
- Add a deny rule in Apache or Nginx for requests to the logs/ and lib/ subdirectories of the module
- Place a restrictive .htaccess file in /modules/upsshipping/logs/ and /modules/upsshipping/lib/ denying all access
- Move log output to a directory outside the web-accessible document root
- Disable the upsshipping module until a fixed release is available if UPS integration is not business-critical
# Configuration example: Apache .htaccess to block direct access
# Place in /modules/upsshipping/logs/ and /modules/upsshipping/lib/
<RequireAll>
Require all denied
</RequireAll>
# Nginx equivalent (server block)
location ~ ^/modules/upsshipping/(logs|lib)/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
