CVE-2026-32270
Information Disclosure in Craft Commerce PaymentsController Allows Data Leak
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 4.0.0 (inc) to 4.10.2 (inc) |
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.5.4 (inc) |
| craftcms | craft_commerce | 4.11.0 |
| craftcms | craft_commerce | 5.6.0 |
| craftcms | commerce | From 4.0.0 (inc) to 4.10.2 (inc) |
| craftcms | commerce | From 5.0.0 (inc) to 5.5.4 (inc) |
| craftcms | commerce | 4.11.0 |
| craftcms | commerce | 5.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32270 is an information disclosure vulnerability in the Craft Commerce platform for Craft CMS. It occurs in the PaymentsController::actionPay method, where if an order number is provided during an anonymous payment attempt and the email verification fails, the system returns a JSON error response that includes the serialized order object.
This serialized order object contains sensitive customer information such as the customer's email, shipping address, and billing address. The vulnerability arises because the order is retrieved by its number before authorization is fully enforced, leading to broken access control and exposure of sensitive data to unauthenticated users.
The issue affects Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4 and has been fixed in versions 4.11.0 and 5.6.0 by removing the order data from the failure response.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive customer information such as email addresses, shipping addresses, and billing addresses. An attacker who knows or can guess an order number can trigger the payment endpoint and receive detailed order data even without proper authentication.
This exposure of personal and order-related data can compromise customer privacy, potentially leading to identity theft, phishing attacks, or other malicious activities targeting customers.
Additionally, the broken access control represents a security weakness that undermines trust in the ecommerce platform and may expose the business to reputational damage.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the responses from the `commerce/payments/pay` endpoint in Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4. Specifically, if an unauthenticated request to this endpoint with an order number and a failing email check returns a JSON error response containing serialized order data (including sensitive fields like customer email, shipping address, and billing address), the system is vulnerable.
To detect this on your system, you can use network traffic inspection tools or send crafted HTTP requests to the payment endpoint and observe the responses.
- Use curl to simulate a payment attempt with an order number and an incorrect email to see if order data is disclosed:
- curl -X POST https://yourcraftcommerceurl.com/commerce/payments/pay -d 'orderNumber=KNOWN_ORDER_NUMBER&[email protected]'
- Inspect the JSON response for presence of order details such as customer email, shipping address, or billing address.
- Alternatively, use tools like Burp Suite or Wireshark to monitor traffic and check for sensitive data exposure in error responses from the payment endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Craft Commerce to a fixed version where this vulnerability is resolved.
- Upgrade to Craft Commerce version 4.11.0 or later if you are on the 4.x branch.
- Upgrade to Craft Commerce version 5.6.0 or later if you are on the 5.x branch.
These versions remove the order data from failure responses in the payment controller, preventing sensitive information disclosure.
Additionally, consider restricting access to the payment endpoint or implementing rate limiting to reduce the risk of enumeration attacks until the upgrade can be applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes unauthorized disclosure of sensitive customer information such as email addresses, shipping addresses, and billing addresses by exposing order data to unauthenticated users.
Such exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personally identifiable information and mandate protection against unauthorized disclosure.
Because the vulnerability involves broken access control and exposure of sensitive information to unauthorized actors, it increases the risk of violating privacy and security requirements mandated by these standards.
The issue has been fixed in later versions (4.11.0 and 5.6.0) to prevent leaking order details in error responses, thereby helping to restore compliance with such regulations.