CVE-2026-32270
Received Received - Intake
Information Disclosure in Craft Commerce PaymentsController Allows Data Leak

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32270
EUVD
EUVD-2026-22073
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
craftcms craft_commerce From 4.0.0 (inc) to 4.10.2 (inc)
craftcms craft_commerce From 5.0.0 (inc) to 5.5.4 (inc)
craftcms craft_commerce 4.11.0
craftcms craft_commerce 5.6.0
craftcms commerce From 4.0.0 (inc) to 4.10.2 (inc)
craftcms commerce From 5.0.0 (inc) to 5.5.4 (inc)
craftcms commerce 4.11.0
craftcms commerce 5.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32270 is an information disclosure vulnerability in the Craft Commerce platform for Craft CMS. It occurs in the PaymentsController::actionPay method, where if an order number is provided during an anonymous payment attempt and the email verification fails, the system returns a JSON error response that includes the serialized order object.

This serialized order object contains sensitive customer information such as the customer's email, shipping address, and billing address. The vulnerability arises because the order is retrieved by its number before authorization is fully enforced, leading to broken access control and exposure of sensitive data to unauthenticated users.

The issue affects Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4 and has been fixed in versions 4.11.0 and 5.6.0 by removing the order data from the failure response.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive customer information such as email addresses, shipping addresses, and billing addresses. An attacker who knows or can guess an order number can trigger the payment endpoint and receive detailed order data even without proper authentication.

This exposure of personal and order-related data can compromise customer privacy, potentially leading to identity theft, phishing attacks, or other malicious activities targeting customers.

Additionally, the broken access control represents a security weakness that undermines trust in the ecommerce platform and may expose the business to reputational damage.

Detection Guidance

This vulnerability can be detected by monitoring the responses from the `commerce/payments/pay` endpoint in Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4. Specifically, if an unauthenticated request to this endpoint with an order number and a failing email check returns a JSON error response containing serialized order data (including sensitive fields like customer email, shipping address, and billing address), the system is vulnerable.

To detect this on your system, you can use network traffic inspection tools or send crafted HTTP requests to the payment endpoint and observe the responses.

  • Use curl to simulate a payment attempt with an order number and an incorrect email to see if order data is disclosed:
  • curl -X POST https://yourcraftcommerceurl.com/commerce/payments/pay -d 'orderNumber=KNOWN_ORDER_NUMBER&[email protected]'
  • Inspect the JSON response for presence of order details such as customer email, shipping address, or billing address.
  • Alternatively, use tools like Burp Suite or Wireshark to monitor traffic and check for sensitive data exposure in error responses from the payment endpoint.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade Craft Commerce to a fixed version where this vulnerability is resolved.

  • Upgrade to Craft Commerce version 4.11.0 or later if you are on the 4.x branch.
  • Upgrade to Craft Commerce version 5.6.0 or later if you are on the 5.x branch.

These versions remove the order data from failure responses in the payment controller, preventing sensitive information disclosure.

Additionally, consider restricting access to the payment endpoint or implementing rate limiting to reduce the risk of enumeration attacks until the upgrade can be applied.

Compliance Impact

This vulnerability causes unauthorized disclosure of sensitive customer information such as email addresses, shipping addresses, and billing addresses by exposing order data to unauthenticated users.

Such exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personally identifiable information and mandate protection against unauthorized disclosure.

Because the vulnerability involves broken access control and exposure of sensitive information to unauthorized actors, it increases the risk of violating privacy and security requirements mandated by these standards.

The issue has been fixed in later versions (4.11.0 and 5.6.0) to prevent leaking order details in error responses, thereby helping to restore compliance with such regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart