top of page
perceptive_background_267k.jpg

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Obje…

Published:

9 January 2026 at 23:00:00

Alert date:

10 January 2026 at 13:10:58

Source:

nvd.nist.gov

Click to open the original link from this advisory

CVE-2026-22589 is an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in Spree, an open source e-commerce solution built with Ruby on Rails. The vulnerability allows unauthenticated attackers to access guest address information without valid credentials or session cookies. Multiple versions are affected including versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5. The issue has been patched in the specified versions. This represents a significant privacy breach risk for e-commerce platforms using vulnerable Spree versions.

Technical details

Mitigation steps:

Affected products:

Spree Commerce

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-22589
https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795
https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad
https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67
https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad
https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page