CVE-2026-25757 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
GHSL-2026-029)The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.
Order lookup without enforcing token requirement in OrdersController#show:
@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first
Authorization bypass for guest orders in authorize_access:
def authorize_access
return true if @order.user_id.nil?
@order.user == try_spree_current_user
end
If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)
spree_orders).<SPREE-HOST>/orders/<ORDER-ID>. (Sample: http://localhost:3000/orders/R496592563)=> Full guest order details are disclosed including names, addresses and limited payment info.
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.