CVE-2026-25757
Unknown Unknown - Not Provided
Information Disclosure in Spree E-commerce via Unauthenticated Order Access

Publication date: 2026-02-06

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-23
Generated
2026-05-07
AI Q&A
2026-02-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25757
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
spreecommerce spree to 5.0.8 (exc)
spreecommerce spree From 5.1.0 (inc) to 5.1.10 (exc)
spreecommerce spree From 5.2.0 (inc) to 5.2.7 (exc)
spreecommerce spree From 5.3.0 (inc) to 5.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Spree, an open source e-commerce platform built with Ruby on Rails. Before certain patched versions (5.0.8, 5.1.10, 5.2.7, and 5.3.2), unauthenticated users could view completed guest orders simply by knowing the Order ID.

This means that anyone without logging in or authenticating could access order details that should be private.

The exposed information may include personally identifiable information (PII) such as names, addresses, and phone numbers of guest users.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of sensitive personal information of customers who placed guest orders.

This exposure can result in privacy violations, potential identity theft, and loss of customer trust.

Additionally, it may expose your business to legal and reputational risks due to mishandling of customer data.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Spree to one of the patched versions: 5.0.8, 5.1.10, 5.2.7, or 5.3.2.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart