CVE-2026-40098
Cross-User File Disclosure in Magento LTS Wishlist Import
Publication date: 2026-04-20
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openmage | magento | to 20.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to cross-user data disclosure by allowing an attacker to import private wishlist items from a victim into their own cart, including private custom-option data and potentially sensitive files. Such unauthorized access and disclosure of personal or sensitive data can violate data protection principles central to regulations like GDPR and HIPAA, which mandate strict controls on user data confidentiality and access authorization.
Because the vulnerability bypasses object-level authorization and exposes private user data without proper consent or verification, it undermines compliance with standards requiring data privacy, integrity, and secure access controls.
Can you explain this vulnerability to me?
CVE-2026-40098 is a vulnerability in OpenMage Magento Long Term Support (LTS) versions up to 20.16.0 involving broken object-level authorization in the shared wishlist add-to-cart feature.
The shared wishlist add-to-cart endpoint authorizes access using a public sharing_code but loads the wishlist item by a global wishlist_item_id without verifying that the item belongs to the shared wishlist referenced by that code.
This flaw allows an attacker who has a valid shared wishlist code for one wishlist (wishlist A) to import an item from another victim's wishlist (wishlist B) into their own cart by specifying the victim's wishlist item ID.
Because the victim item's stored buyRequest data is reused during the import, the victim's private custom-option data, including personalized information, is copied into the attacker's cart.
If the product uses a file-type custom option, the attacker can exploit this to perform cross-user file disclosure by accessing files associated with the victim's wishlist item, since the download endpoint does not verify ownership.
The root cause is a missing authorization check that should ensure the wishlist item belongs to the shared wishlist referenced by the sharing_code.
This vulnerability was fixed in version 20.17.0 by adding a check to confirm the wishlist item matches the shared wishlist before allowing the add-to-cart operation.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to access and import private wishlist items from other users into their own cart without authorization.
Attackers can obtain private custom-option data associated with victim wishlist items, which may include personalized text or sensitive information.
In cases where the product has file-type custom options, attackers can exploit the flaw to download files belonging to other users, leading to cross-user file disclosure.
This compromises user privacy and data confidentiality, potentially exposing sensitive or personal data to unauthorized parties.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the exploit scenario where a GET request is sent to the shared wishlist add-to-cart endpoint using a valid shared wishlist code combined with a wishlist item ID from a different wishlist. Specifically, sending a request to the URL pattern: /wishlist/shared/cart/?code=<shared_code>&item=<victim_item_id> and observing if the victim's wishlist item is improperly imported into the attacker's cart indicates the presence of the vulnerability.
A practical detection command using curl would be:
- curl -v "https://<magento-site>/wishlist/shared/cart/?code=<valid_shared_code>&item=<wishlist_item_id_from_another_user>"
If the request succeeds and the item is added to the cart without proper authorization checks, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenMage Magento LTS to version 20.17.0 or later, where this vulnerability has been patched.
If upgrading is not immediately possible, a temporary mitigation involves adding an authorization check in the shared wishlist add-to-cart controller to ensure that the wishlist item belongs to the shared wishlist referenced by the sharing code. This check should reject requests where the wishlist item ID does not match the wishlist ID loaded by the sharing code.
- Implement the following check in SharedController::cartAction():
- if (!$item->getId() || !$wishlist->getId() || (int)$item->getWishlistId() !== (int)$wishlist->getId()) { return $this->_forward('noRoute'); }
Additionally, ensure that the file download endpoint for custom options is bound to the current quote or order owner to prevent cross-user file disclosure.