CVE-2026-22589 PUBLISHED

Spree API has Unauthenticated IDOR - Guest Address

Assigner: GitHub_M
Reserved: 07.01.2026 Published: 10.01.2026 Updated: 12.01.2026

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	spree
Product	spree
Versions	Version >= 5.2.0, < 5.2.5 is affected Version >= 5.1.0, < 5.1.9 is affected Version >= 5.0.0, < 5.0.7 is affected Version < 4.10.2 is affected

References

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE