Summary
An Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies.
Details
During testing, it was observed that all guest users can make an unauthenticated request to retrieve address data belonging to other guest users by manipulating object identifiers. The attacker would need to know the storefront URL structure to perform this attack (which can be learnt after creating a registered user account).
Affected Component(s)
- Address Edit endpoint:
/addresses/{addressId}/edit
Root Cause
- Faulty authorization check in CanCanCan Ability class:
- can :manage, ::Spree::Address, user_id: user.id
+ can :manage, ::Spree::Address, user_id: user.id if user.persisted?
the user object in Spree::Ability class for guest users is a Spree.user_class.new object.
Addresses endpoint to access it is part of the spree_storefront gem. Headless builds using APIs are not affected, as the Addresses endpoint there is only for registered users, and records are scoped to the currently signed-in user.
PoC
Preconditions
- No authentication required
- No cookies or session tokens set
To reproduce this vulnerability simply perform the request shown below, replacing the number with an arbitrary value.
For the initial request the Guest Address id = 6 is used to obtain the information
Request
GET /addresses/6/edit
Repeat the request and check the response, in this example using Guest Address id = 2.
Request
GET /addresses/2/edit
Impact
An unauthenticated attacker can:
- Enumerate and retrieve guest address information (Addresses associated with User accounts are NOT affected)
- Access personally identifiable information (PII) such as:
- Full names
- Physical addresses
- Phone numbers (if present)
This vulnerability could lead to:
- Privacy violations
- Regulatory compliance issues (e.g., GDPR)
- Loss of user trust
CVE-2026-22589 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.10.2, 5.0.7, 5.1.9, 5.2.5); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
spree_core to 4.10.2 or later; spree_core to 5.0.7 or later; spree_core to 5.1.9 or later; spree_core to 5.2.5 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-22589? CVE-2026-22589 is a high-severity security vulnerability in spree_core (rubygems), affecting versions >= 4.0.0, < 4.10.2. It is fixed in 4.10.2, 5.0.7, 5.1.9, 5.2.5.
- How severe is CVE-2026-22589? CVE-2026-22589 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of spree_core are affected by CVE-2026-22589? spree_core (rubygems) versions >= 4.0.0, < 4.10.2 is affected.
- Is there a fix for CVE-2026-22589? Yes. CVE-2026-22589 is fixed in 4.10.2, 5.0.7, 5.1.9, 5.2.5. Upgrade to this version or later.
- Is CVE-2026-22589 exploitable, and should I be worried? Whether CVE-2026-22589 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-22589 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-22589?
- Upgrade
spree_coreto 4.10.2 or later - Upgrade
spree_coreto 5.0.7 or later - Upgrade
spree_coreto 5.1.9 or later - Upgrade
spree_coreto 5.2.5 or later
- Upgrade