CVE-2026-31867
Received Received - Intake
IDOR Vulnerability in Craft Commerce Cart Enables Session Hijacking

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31867
EUVD
EUVD-2026-11271
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_commerce From 4.0.0 (inc) to 4.11.0 (exc)
craftcms craft_commerce From 5.0.0 (inc) to 5.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31867 is an Insecure Direct Object Reference (IDOR) vulnerability in Craft Commerce's cart functionality prior to versions 4.11.0 and 5.6.0. It allows an attacker to hijack any active shopping cart by knowing or guessing its unique 32-character cart number. The vulnerability exists because the CartController accepts a user-supplied cart number to load and modify carts without verifying if the requester is authorized to access that cart. The system only checks if the order exists and is incomplete, but does not validate ownership, enabling unauthorized users to take over shopping sessions and potentially access personally identifiable information (PII)."}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized hijacking of shopping carts, allowing attackers to access and modify active carts that are not theirs. This can result in exposure of sensitive information such as email addresses and physical addresses contained within the cart. Attackers can take over shopping sessions, potentially leading to fraudulent purchases or misuse of personal data. The vulnerability increases the risk of data breaches and undermines the integrity of the ecommerce platform's user sessions."}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized access attempts to shopping carts using 32-character cart numbers without proper authentication or ownership validation.'}, {'type': 'paragraph', 'content': 'Detection methods include checking web server or proxy logs for requests to cart loading endpoints that include 32-character cart numbers as parameters, especially if these requests come from unexpected IP addresses or show patterns of brute force attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity might include searching access logs for cart number patterns or suspicious requests. For example, using grep on Apache or Nginx logs:'}, {'type': 'list_item', 'content': "grep -Eo 'number=[a-f0-9]{32}' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep -E 'load-cart' /var/log/apache2/access.log | grep -Eo 'number=[a-f0-9]{32}'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for repeated failed or unusual cart access attempts can help identify exploitation attempts.'}] [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Craft Commerce to version 4.11.0 or later, or 5.6.0 or later, where the vulnerability is fixed.

The fix introduces token-based security for cart loading operations, requiring a valid secure token or authentication as the cart owner to access carts, preventing unauthorized hijacking.

If upgrading immediately is not possible, consider implementing additional access controls or monitoring to detect and block unauthorized cart access attempts.

Review and apply the security enhancements described in the patch, such as enabling the `cartLinkExpiry` setting to limit token validity and using secure token generation methods.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31867. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart