CVE-2026-25757
Unknown Unknown - Not Provided
Information Disclosure in Spree E-commerce via Unauthenticated Order Access

Publication date: 2026-02-06

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25757
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
spreecommerce spree to 5.0.8 (exc)
spreecommerce spree From 5.1.0 (inc) to 5.1.10 (exc)
spreecommerce spree From 5.2.0 (inc) to 5.2.7 (exc)
spreecommerce spree From 5.3.0 (inc) to 5.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Spree, an open source e-commerce platform built with Ruby on Rails. Before certain patched versions (5.0.8, 5.1.10, 5.2.7, and 5.3.2), unauthenticated users could view completed guest orders simply by knowing the Order ID.

This means that anyone without logging in or authenticating could access order details that should be private.

The exposed information may include personally identifiable information (PII) such as names, addresses, and phone numbers of guest users.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive personal information of customers who placed guest orders.

This exposure can result in privacy violations, potential identity theft, and loss of customer trust.

Additionally, it may expose your business to legal and reputational risks due to mishandling of customer data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Spree to one of the patched versions: 5.0.8, 5.1.10, 5.2.7, or 5.3.2.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart