GHSA-VFF3-PQQ8-4CPQ

Vulnerability from github – Published: 2026-03-10 18:24 – Updated: 2026-03-11 20:57
VLAI?
Summary
Craft Commerce: Potential IDOR in Commerce carts
Details

An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.

Vulnerability Details

Root Cause

The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it.

// CartController.php:374-389 - actionLoadCart()
public function actionLoadCart(): ?Response
{
    $number = $this->request->getParam('number');

    if ($number === null) {
        return $this->asFailure(Craft::t('commerce', 'A cart number must be specified.'));
    }

    // No ownership check - returns any cart to any requester
    $cart = Order::find()->number($number)->isCompleted(false)->one();

    // Cart is loaded into attacker's session without authorization
    ...
}

// CartController.php:606-616 - _getCart()
$orderNumber = $this->request->getBodyParam('number');
if ($orderNumber) {
    // Same issue - no ownership validation
    $cart = Order::find()->number($orderNumber)->isCompleted(false)->one();
    // Returns cart to any requester who knows the number
}

Attack Scenario

Prerequisites

  • Target Craft Commerce installation with active shopping carts
  • Knowledge of a victim’s cart number (32-character hex string)

Cart Number Acquisition Vectors

  1. Referrer Header Leakage: Cart URLs shared externally expose the number
  2. Browser History: Accessible on shared/compromised devices
  3. Proxy/WAF Logs: Cart numbers logged in URL parameters
  4. Social Engineering: Support tickets, screenshots containing cart URLs
  5. Brute Force: While impractical for random targeting, feasible for targeted attacks against recently-created carts
Severity ?
6.3 (Medium)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:24:49Z",
    "nvd_published_at": "2026-03-11T18:16:25Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce\u2019s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.\n\n## Vulnerability Details\n\n### Root Cause\n\nThe `CartController` accepts a user-supplied `number` parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it.\n\n```php\n// CartController.php:374-389 - actionLoadCart()\npublic function actionLoadCart(): ?Response\n{\n    $number = $this-\u003erequest-\u003egetParam(\u0027number\u0027);\n\n    if ($number === null) {\n        return $this-\u003easFailure(Craft::t(\u0027commerce\u0027, \u0027A cart number must be specified.\u0027));\n    }\n\n    // No ownership check - returns any cart to any requester\n    $cart = Order::find()-\u003enumber($number)-\u003eisCompleted(false)-\u003eone();\n\n    // Cart is loaded into attacker\u0027s session without authorization\n    ...\n}\n```\n\n```php\n// CartController.php:606-616 - _getCart()\n$orderNumber = $this-\u003erequest-\u003egetBodyParam(\u0027number\u0027);\nif ($orderNumber) {\n    // Same issue - no ownership validation\n    $cart = Order::find()-\u003enumber($orderNumber)-\u003eisCompleted(false)-\u003eone();\n    // Returns cart to any requester who knows the number\n}\n```\n---\n\n## Attack Scenario\n\n### Prerequisites\n- Target Craft Commerce installation with active shopping carts\n- Knowledge of a victim\u2019s cart number (32-character hex string)\n\n### Cart Number Acquisition Vectors\n\n1. **Referrer Header Leakage**: Cart URLs shared externally expose the number\n2. **Browser History**: Accessible on shared/compromised devices\n3. **Proxy/WAF Logs**: Cart numbers logged in URL parameters\n4. **Social Engineering**: Support tickets, screenshots containing cart URLs\n5. **Brute Force**: While impractical for random targeting, feasible for targeted attacks against recently-created carts\n\n---",
  "id": "GHSA-vff3-pqq8-4cpq",
  "modified": "2026-03-11T20:57:29Z",
  "published": "2026-03-10T18:24:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/pull/4207"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce: Potential IDOR in Commerce carts"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.