CVE-2026-31867
IDOR Vulnerability in Craft Commerce Cart Enables Session Hijacking
Publication date: 2026-03-11
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 4.0.0 (inc) to 4.11.0 (exc) |
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31867 is an Insecure Direct Object Reference (IDOR) vulnerability in Craft Commerce's cart functionality prior to versions 4.11.0 and 5.6.0. It allows an attacker to hijack any active shopping cart by knowing or guessing its unique 32-character cart number. The vulnerability exists because the CartController accepts a user-supplied cart number to load and modify carts without verifying if the requester is authorized to access that cart. The system only checks if the order exists and is incomplete, but does not validate ownership, enabling unauthorized users to take over shopping sessions and potentially access personally identifiable information (PII)."}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized hijacking of shopping carts, allowing attackers to access and modify active carts that are not theirs. This can result in exposure of sensitive information such as email addresses and physical addresses contained within the cart. Attackers can take over shopping sessions, potentially leading to fraudulent purchases or misuse of personal data. The vulnerability increases the risk of data breaches and undermines the integrity of the ecommerce platform's user sessions."}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized access attempts to shopping carts using 32-character cart numbers without proper authentication or ownership validation.'}, {'type': 'paragraph', 'content': 'Detection methods include checking web server or proxy logs for requests to cart loading endpoints that include 32-character cart numbers as parameters, especially if these requests come from unexpected IP addresses or show patterns of brute force attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity might include searching access logs for cart number patterns or suspicious requests. For example, using grep on Apache or Nginx logs:'}, {'type': 'list_item', 'content': "grep -Eo 'number=[a-f0-9]{32}' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep -E 'load-cart' /var/log/apache2/access.log | grep -Eo 'number=[a-f0-9]{32}'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for repeated failed or unusual cart access attempts can help identify exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Craft Commerce to version 4.11.0 or later, or 5.6.0 or later, where the vulnerability is fixed.
The fix introduces token-based security for cart loading operations, requiring a valid secure token or authentication as the cart owner to access carts, preventing unauthorized hijacking.
If upgrading immediately is not possible, consider implementing additional access controls or monitoring to detect and block unauthorized cart access attempts.
Review and apply the security enhancements described in the patch, such as enabling the `cartLinkExpiry` setting to limit token validity and using secure token generation methods.