What is CVE-2026-25757?

### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`) The `OrdersController#show` action permits viewing completed guest orders by order number alone, without requiring the associated order token. Order lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14): ```ruby @order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first ``` Authorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8): ```ruby def authorize_access return true if @order.user_id.nil? @order.user == try_spree_current_user end ``` If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.) #### Proof of Concept 1. As a guest create a complete order. 2. Fetch the latest Order ID from the database (Table: `spree_orders`). 3. In another clean browser access following URL: ` /orders/ `. (Sample: `http://localhost:3000/orders/R496592563`) => Full guest order details are disclosed including names, addresses and limited payment info. #### Impact This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). #### CWEs - CWE-639: Authorization Bypass Through User-Controlled Key ### Credit This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter Stöckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo). ### Disclosure Policy This report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).

What is the severity of CVE-2026-25757?

CVE-2026-25757 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25757?

No known public exploits are currently available for CVE-2026-25757.

Is there a patch available for CVE-2026-25757?

Yes, patches are available for CVE-2026-25757. Check the vendor advisories for update instructions.

CVE-2026-25757 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)

The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.

Order lookup without enforcing token requirement in OrdersController#show:

@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first

Authorization bypass for guest orders in authorize_access:

def authorize_access
  return true if @order.user_id.nil?

  @order.user == try_spree_current_user
end

If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)

Proof of Concept

As a guest create a complete order.
Fetch the latest Order ID from the database (Table: spree_orders).
In another clean browser access following URL: <SPREE-HOST>/orders/<ORDER-ID>. (Sample: http://localhost:3000/orders/R496592563)

=> Full guest order details are disclosed including names, addresses and limited payment info.

Impact

This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com

CVE-2026-25757

Unauthenticated users can view completed guest orders by Order ID (GHSL-2026-029)

Proof of Concept

Impact

CWEs

Credit

Disclosure Policy

Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)