A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
GHSL-2026-027)The vulnerability stems from incomplete authorization validation in Spree's checkout address assignment logic. While nested address attributes (bill_address_attributes[id] and ship_address_attributes[id]) are properly validated through validate_address_ownership, plain ID parameters (bill_address_id and ship_address_id) bypass this check entirely. Since Spree's address IDs are sequential numbers, an attacker might get all guest addresses by simply enumerating over them.
Permitted Attributes (core/lib/spree/permitted_attributes.rb:92–96)
bill_address_id and ship_address_id as permitted parameters without validationCheckout Update (core/app/models/spree/order/checkout.rb:241–254)
update_from_paramsIncomplete Ownership Validation (core/app/services/spree/checkout/update.rb:33–48)
-...
4.10.35.0.85.1.105.2.75.3.2Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N7.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P