Skip to content

Spree API has Unauthenticated IDOR - Guest Address

High severity GitHub Reviewed Published Jan 8, 2026 in spree/spree • Updated Jan 8, 2026

Package

bundler spree_core (RubyGems)

Affected versions

>= 4.0.0, < 4.10.2
>= 5.0.0, < 5.0.7
>= 5.1.0, < 5.1.9
>= 5.2.0, < 5.2.5

Patched versions

4.10.2
5.0.7
5.1.9
5.2.5

Description

Summary

An Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies.

Details

During testing, it was observed that all guest users can make an unauthenticated request to retrieve address data belonging to other guest users by manipulating object identifiers. The attacker would need to know the storefront URL structure to perform this attack (which can be learnt after creating a registered user account).

Affected Component(s)

  • Address Edit endpoint: /addresses/{addressId}/edit

Root Cause

  • Faulty authorization check in CanCanCan Ability class:
- can :manage, ::Spree::Address, user_id: user.id
+ can :manage, ::Spree::Address, user_id: user.id if user.persisted?

the user object in Spree::Ability class for guest users is a Spree.user_class.new object.

Addresses endpoint to access it is part of the spree_storefront gem. Headless builds using APIs are not affected, as the Addresses endpoint there is only for registered users, and records are scoped to the currently signed-in user.

PoC

Preconditions

  • No authentication required
  • No cookies or session tokens set

To reproduce this vulnerability simply perform the request shown below, replacing the number with an arbitrary value.

For the initial request the Guest Address id = 6 is used to obtain the information

Request
GET /addresses/6/edit

IDOR Guest

Repeat the request and check the response, in this example using Guest Address id = 2.

Request
GET /addresses/2/edit

IDOR Guest Address ID 2

Impact

An unauthenticated attacker can:

  • Enumerate and retrieve guest address information (Addresses associated with User accounts are NOT affected)
  • Access personally identifiable information (PII) such as:
  • Full names
  • Physical addresses
  • Phone numbers (if present)

This vulnerability could lead to:

  • Privacy violations
  • Regulatory compliance issues (e.g., GDPR)
  • Loss of user trust

References

@damianlegawiec damianlegawiec published to spree/spree Jan 8, 2026
Published to the GitHub Advisory Database Jan 8, 2026
Reviewed Jan 8, 2026
Last updated Jan 8, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

CVE ID

CVE-2026-22589

GHSA ID

GHSA-3ghg-3787-w2xr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.