CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-P39J-8498-PCJW
Vulnerability from github – Published: 2026-07-03 18:31 – Updated: 2026-07-03 18:31A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.
{
"affected": [],
"aliases": [
"CVE-2026-14614"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T16:16:55Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the ClientResource component of Keycloak\u0027s admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.",
"id": "GHSA-p39j-8498-pcjw",
"modified": "2026-07-03T18:31:06Z",
"published": "2026-07-03T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14614"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-14614"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496889"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P3RH-58J4-QHHQ
Vulnerability from github – Published: 2025-03-09 18:30 – Updated: 2025-03-09 18:30A vulnerability has been found in Control iD RH iD 25.2.25.0 and classified as problematic. This vulnerability affects unknown code of the file /v2/report.svc/comprovante_marcacao/?companyId=1 of the component PDF Document Handler. The manipulation of the argument nsr leads to improper control of resource identifiers. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-2125"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-09T16:15:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Control iD RH iD 25.2.25.0 and classified as problematic. This vulnerability affects unknown code of the file /v2/report.svc/comprovante_marcacao/?companyId=1 of the component PDF Document Handler. The manipulation of the argument nsr leads to improper control of resource identifiers. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-p3rh-58j4-qhhq",
"modified": "2025-03-09T18:30:52Z",
"published": "2025-03-09T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2125"
},
{
"type": "WEB",
"url": "https://github.com/yago3008/cves"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.299038"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.299038"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.509856"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P3RQ-F799-8PW3
Vulnerability from github – Published: 2024-11-01 12:30 – Updated: 2024-11-05 09:30A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2024-10654"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T12:15:03Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-p3rq-f799-8pw3",
"modified": "2024-11-05T09:30:37Z",
"published": "2024-11-01T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10654"
},
{
"type": "WEB",
"url": "https://github.com/c0nyy/IoT_vuln/blob/main/TOTOLINK%20LR350%20Vuln.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.282667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.282667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.434801"
},
{
"type": "WEB",
"url": "https://www.totolink.net"
},
{
"type": "WEB",
"url": "https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/231/ids/36.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P458-C575-82FH
Vulnerability from github – Published: 2023-12-12 09:30 – Updated: 2023-12-12 09:30Archer Platform 6.x before 6.14 P1 HF2 (6.14.0.1.2) contains an insecure direct object reference vulnerability. An authenticated malicious user in a multi-instance installation could potentially exploit this vulnerability by manipulating application resource references in user requests to bypass authorization checks, in order to gain execute access to AWF application resources.
{
"affected": [],
"aliases": [
"CVE-2023-48641"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T08:15:07Z",
"severity": "HIGH"
},
"details": "Archer Platform 6.x before 6.14 P1 HF2 (6.14.0.1.2) contains an insecure direct object reference vulnerability. An authenticated malicious user in a multi-instance installation could potentially exploit this vulnerability by manipulating application resource references in user requests to bypass authorization checks, in order to gain execute access to AWF application resources.",
"id": "GHSA-p458-c575-82fh",
"modified": "2023-12-12T09:30:32Z",
"published": "2023-12-12T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48641"
},
{
"type": "WEB",
"url": "https://www.archerirm.community/t5/platform-announcements/archer-update-for-multiple-vulnerabilities/ta-p/711859"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P5HV-VFXR-C3G7
Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.
{
"affected": [],
"aliases": [
"CVE-2021-24892"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-23T20:15:00Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference in edit function of Advanced Forms (Free \u0026 Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user\u0027s email address and request for reset password, which could lead to take over of WordPress\u0027s administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress\u0027s user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.",
"id": "GHSA-p5hv-vfxr-c3g7",
"modified": "2022-05-24T19:21:13Z",
"published": "2022-05-24T19:21:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24892"
},
{
"type": "WEB",
"url": "https://github.com/advancedforms/advanced-forms/commit/2ce3ab6985c3a909eefb01c562995bc6a994d3a2"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/364b0843-a990-4204-848a-60c928cc5bc0"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P5JR-RFJ3-98F5
Vulnerability from github – Published: 2024-01-02 21:30 – Updated: 2024-01-08 21:30An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.
{
"affected": [],
"aliases": [
"CVE-2023-45892"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T21:15:09Z",
"severity": "HIGH"
},
"details": "An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.",
"id": "GHSA-p5jr-rfj3-98f5",
"modified": "2024-01-08T21:30:32Z",
"published": "2024-01-02T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45892"
},
{
"type": "WEB",
"url": "https://github.com/Oracle-Security/CVEs/blob/main/FloorsightSoftware/CVE-2023-45892.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5V5-V74Q-W38H
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
{
"affected": [],
"aliases": [
"CVE-2026-10140"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T20:17:27Z",
"severity": "CRITICAL"
},
"details": "IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.",
"id": "GHSA-p5v5-v74q-w38h",
"modified": "2026-06-30T21:31:44Z",
"published": "2026-06-30T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10140"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7278209"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P628-386J-64H8
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.
{
"affected": [],
"aliases": [
"CVE-2020-27742"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-28T19:15:00Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else\u0027s emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived \"Multiple Security Vulnerabilities in WebCit 926\" thread.",
"id": "GHSA-p628-386j-64h8",
"modified": "2022-05-24T17:32:37Z",
"published": "2022-05-24T17:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27742"
},
{
"type": "WEB",
"url": "https://www.citadel.org"
},
{
"type": "WEB",
"url": "http://uncensored.citadel.org/readfwd?go=Citadel%20Security?start_reading_at=4592834"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P652-XCGX-F85M
Vulnerability from github – Published: 2024-08-29 17:59 – Updated: 2024-08-30 14:33An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "12.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "10.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45232"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-29T17:59:02Z",
"nvd_published_at": "2024-08-29T00:15:09Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (`plugin.tx_powermail.settings.db.enable=1`), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.",
"id": "GHSA-p652-xcgx-f85m",
"modified": "2024-08-30T14:33:54Z",
"published": "2024-08-29T17:59:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45232"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/061756732357206f2f13bf39a0676dd266ec9586"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/ac402d4972c77dd119c8db6ffe594c15e8ae0bc5"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/e2ddfaa06d29019d60be02b5a3da04b237ed760b"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/f58d70311799ae5f6acbec52ea9206d21eba91bb"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-45232.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/in2code-de/powermail"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "\"powermail\" (powermail) Insecure Direct Object Reference (IDOR)"
}
GHSA-P6PV-Q7RC-G4H9
Vulnerability from github – Published: 2026-02-05 21:13 – Updated: 2026-02-13 17:16Unauthenticated users can view completed guest orders by Order ID (GHSL-2026-029)
The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.
Order lookup without enforcing token requirement in OrdersController#show:
@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first
Authorization bypass for guest orders in authorize_access:
def authorize_access
return true if @order.user_id.nil?
@order.user == try_spree_current_user
end
If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)
Proof of Concept
- As a guest create a complete order.
- Fetch the latest Order ID from the database (Table:
spree_orders). - In another clean browser access following URL:
<SPREE-HOST>/orders/<ORDER-ID>. (Sample:http://localhost:3000/orders/R496592563)
=> Full guest order details are disclosed including names, addresses and limited payment info.
Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
CWEs
- CWE-639: Authorization Bypass Through User-Controlled Key
Credit
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_storefront"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25757"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T21:13:24Z",
"nvd_published_at": "2026-02-06T23:15:54Z",
"severity": "HIGH"
},
"details": "### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)\n\nThe `OrdersController#show` action permits viewing completed guest orders by order number alone, without requiring the associated order token.\n\nOrder lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):\n\n```ruby\n@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first\n```\n\nAuthorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):\n```ruby\ndef authorize_access\n return true if @order.user_id.nil?\n\n @order.user == try_spree_current_user\nend\n```\n\nIf the attacker is in possession of a leaked Order ID, they might look it up directly via this API.\nAlternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)\n\n\n#### Proof of Concept\n\n1. As a guest create a complete order.\n2. Fetch the latest Order ID from the database (Table: `spree_orders`).\n3. In another clean browser access following URL: `\u003cSPREE-HOST\u003e/orders/\u003cORDER-ID\u003e`. (Sample: `http://localhost:3000/orders/R496592563`)\n\n=\u003e Full guest order details are disclosed including names, addresses and limited payment info.\n\n#### Impact\n\nThis issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).\n\n#### CWEs\n\n- CWE-639: Authorization Bypass Through User-Controlled Key\n\n### Credit\n\nThis issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter St\u00f6ckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).\n\n### Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
"id": "GHSA-p6pv-q7rc-g4h9",
"modified": "2026-02-13T17:16:21Z",
"published": "2026-02-05T21:13:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25757"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_storefront/CVE-2026-25757.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/spree/spree"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Unauthenticated Spree Commerce users can view completed guest orders by Order ID"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.