CVE-2026-32270

EPSS 0.09%

Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments

發布日:2026/4/14修改日:2026/4/14
也稱為:GHSA-3vxg-x5f8-f5qf

描述

### Summary `PaymentsController::actionPay` discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (`order`), which contains some sensitive fields such as customer email, shipping address, and billing address. ### Details I manually audited frontend payment flows and found that `actionPay()` retrieves orders by number before authorization is fully enforced. Code path: 1. Load order by `number`. 2. Evaluate whether payment is authorized for completed orders (`number + matching email`). 3. If unauthorized, return failure. 4. Failure response still includes `cartArray($order)`, which serializes sensitive order data. Why is this a vulnerability? - Authorization logic says the requester is not allowed to pay for a completed order without an email. - But the response still returns the same completed order’s contents. ### Impact Type: Information Disclosure / Broken Access Control Who is impacted: - Any Commerce deployment where completed order numbers can be obtained or leaked.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

參考連結(6)