A security vulnerability (CVE-2026-22588) in Spree API allows authenticated users to access other users' address information through an Insecure Direct Object Reference (IDOR) flaw. By manipulating address identifiers when updating their own orders via the /api/v2/storefront/checkout endpoint, attackers can retrieve and associate addresses belonging to other users. The vulnerability affects versions 3.7.0 and above, with patches available in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5+. The issue stems from inadequate object-level authorization checks during order updates.
Table of contents
ADVISORIESGEMSEVERITYUNAFFECTED VERSIONSPATCHED VERSIONSDESCRIPTIONSummaryDetailsImpactRELATEDSort: