Unauthenticated Spree Commerce users can view completed guest orders by...

7.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Basic Information

ID CVE-2026-25757

Source GitHub_M

Published Feb 6, 2026 at 22:37

Affected Product

Vendor spree

Product spree

Version < 5.0.8

Affected Versions spree spree < 5.0.8
spree spree >= 5.1.0, < 5.1.10
spree spree >= 5.2.0, < 5.2.7
spree spree >= 5.3.0, < 5.3.2

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.",
    "published": "2026-02-06T22:37:07.542Z",
    "modified": "2026-02-06T22:37:07.542Z",
    "type": "cve",
    "title": "Unauthenticated Spree Commerce users can view completed guest orders by Order ID",
    "source": "GitHub_M",
    "references": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9\nhttps://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab\nhttps://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be\nhttps://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d\nhttps://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad\nhttps://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14\nhttps://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8\nhttps://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45",
    "id": "CVE-2026-25757",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "spree spree < 5.0.8\nspree spree >= 5.1.0, < 5.1.10\nspree spree >= 5.2.0, < 5.2.7\nspree spree >= 5.3.0, < 5.3.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "spree",
    "version": "< 5.0.8",
    "vendor": "spree",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unauthenticated Spree Commerce users can view completed guest orders by Order ID_CVE-2026-25757