CVE-2026-13238 PUBLISHED

Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058

Assigner: drupal
Reserved: 24.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.

Product Status

Vendor Drupal
Product Commerce Realex / Global Payments
Versions
  • affected from 0.0.0 to 3.0.2 (excl.)

Credits

  • Bill Seremetis (bserem) finder
  • Alan Burke (alanburke) remediation developer
  • Bill Seremetis (bserem) remediation developer
  • Jaime Seuma (jaims-dev) remediation developer
  • Greg Knaddison (greggles) coordinator
  • Drew Webber (mcdruid) coordinator
  • Juraj Nemec (poker10) coordinator

References

Problem Types

  • CWE-863 Incorrect Authorization CWE

Impacts

  • CAPEC-87 Forceful Browsing