Vulnerability DatabaseCVE-2026-25758
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-25758
February 06, 2026
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Affected Packages
https://github.com/spree/spree.git (GITHUB):
Affected version(s) >=v5.2.0.rc1 <v5.2.7
Fix Suggestion:
Update to version v5.2.7
https://github.com/spree/spree.git (GITHUB):
Affected version(s) >=v4.10.0 <4.10.3
Fix Suggestion:
Update to version 4.10.3
https://github.com/spree/spree.git (GITHUB):
Affected version(s) >=v5.1.0.beta <v5.1.10
Fix Suggestion:
Update to version v5.1.10
https://github.com/spree/spree.git (GITHUB):
Affected version(s) >=v5.3.0.rc2 <v5.3.2
Fix Suggestion:
Update to version v5.3.2
https://github.com/spree/spree.git (GITHUB):
Affected version(s) >=v5.0.0 <v5.0.8
Fix Suggestion:
Update to version v5.0.8
spree_api (RUBY):
Affected version(s) >=5.1.0 <5.1.10
Fix Suggestion:
Update to version 5.1.10
spree_api (RUBY):
Affected version(s) >=5.2.0 <5.2.7
Fix Suggestion:
Update to version 5.2.7
spree_api (RUBY):
Affected version(s) >=0.30.0.beta1 <4.10.3
Fix Suggestion:
Update to version 4.10.3
spree_api (RUBY):
Affected version(s) >=5.0.0 <5.0.8
Fix Suggestion:
Update to version 5.0.8
spree_api (RUBY):
Affected version(s) >=5.3.0 <5.3.2
Fix Suggestion:
Update to version 5.3.2
Related Resources (13)
https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
https://nvd.nist.gov/vuln/detail/CVE-2026-25758
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml
https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
https://github.com/spree/spree
https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8
https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38
https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
CWE-639
Improper Access Control
CWE-284
EPSS
Base Score:
0.03