Spree up to 4.10.1/5.0.6/5.1.8/5.2.4 authorization

Summaryinfo

A vulnerability marked as problematic has been reported in Spree up to 4.10.1/5.0.6/5.1.8/5.2.4. Affected by this vulnerability is an unknown functionality. Performing a manipulation results in authorization. This vulnerability is reported as CVE-2026-22588. The attack is possible to be carried out remotely. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Spree up to 4.10.1/5.0.6/5.1.8/5.2.4. It has been classified as problematic. This affects an unknown code. The manipulation with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. This is going to have an impact on confidentiality. The summary by CVE is:

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-22588 since 01/07/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Neither technical details nor an exploit are publicly available.

Upgrading to version 4.10.2, 5.0.7, 5.1.9 or 5.2.5 eliminates this vulnerability. Applying the patch 02acabdce2c5f14fd687335b068d901a957a7e72 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-1421). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Spree

Version

• 4.10.0
• 4.10.1
• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5
• 5.0.6
• 5.1.0
• 5.1.1
• 5.1.2
• 5.1.3
• 5.1.4
• 5.1.5
• 5.1.6
• 5.1.7
• 5.1.8
• 5.2.0
• 5.2.1
• 5.2.2
• 5.2.3
• 5.2.4

License

• open-source

Website

• Product: https://github.com/spree/spree/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion