Spree API has Unauthenticated IDOR – Guest Address_CVE-2026-22589

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

Basic Information

ID CVE-2026-22589

Source GitHub_M

Published Jan 10, 2026 at 03:17

Affected Product

Vendor spree

Product spree

Version >= 5.2.0, < 5.2.5

Affected Versions spree spree >= 5.2.0, < 5.2.5
spree spree >= 5.1.0, < 5.1.9
spree spree >= 5.0.0, < 5.0.7
spree spree < 4.10.2

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.",
    "published": "2026-01-10T03:17:58.494Z",
    "modified": "2026-01-10T03:17:58.494Z",
    "type": "cve",
    "title": "Spree API has Unauthenticated IDOR - Guest Address",
    "source": "GitHub_M",
    "references": "https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr\nhttps://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795\nhttps://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad\nhttps://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67\nhttps://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad",
    "id": "CVE-2026-22589",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "spree spree >= 5.2.0, < 5.2.5\nspree spree >= 5.1.0, < 5.1.9\nspree spree >= 5.0.0, < 5.0.7\nspree spree < 4.10.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "spree",
    "version": ">= 5.2.0, < 5.2.5",
    "vendor": "spree",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}