GHSL-2026-029)The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.
Order lookup without enforcing token requirement in OrdersController#show:
@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first
Authorization bypass for guest orders in authorize_access:
def authorize_access
return true if @order.user_id.nil?
@order.user == try_spree_current_user
end
If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)
spree_orders).<SPREE-HOST>/orders/<ORDER-ID>. (Sample: http://localhost:3000/orders/R496592563)=> Full guest order details are disclosed including names, addresses and limited payment info.
This issue may lead to disclosure of PII of guest users (including names,...
5.0.85.1.105.2.75.3.2Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N7.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P