CVE-2026-22589

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22589

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22589.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22589

Aliases

GHSA-3ghg-3787-w2xr

Published

2026-01-10T03:17:58.494Z

Modified

2026-01-24T05:50:18.937211Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Spree API has Unauthenticated IDOR - Guest Address

Details

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22589.json",
    "cwe_ids": [
        "CWE-639"
    ]
}

References

Affected packages

Git / github.com/spree/spree

Affected ranges

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

a100d2b1c9b264d1796b2433db002d12dddc32cc

Fixed

81d6c7d4e01dd9656c0907c954fb679983767b97

Database specific

{
    "versions": [
        {
            "introduced": "5.2.0"
        },
        {
            "fixed": "5.2.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

a8d7ad128ce7adabaea7e254803ac836fe88e154

Fixed

2ba1150da4d821bea3f49394c63430dddd35fd59

Database specific

{
    "versions": [
        {
            "introduced": "5.1.0"
        },
        {
            "fixed": "5.1.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

93f9cbef01f7afd5eee69d24e6f90fe261deff1e

Fixed

3e18ec0055a117b7a65a6f09226ddd823ede4ea3

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

Fixed

62e41d24e3f0b982f632d935b19291ecc967c42c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.10.2"
        }
    ]
}

Affected versions

v0.*

v0.11.0

v0.11.99

v0.2.0

v0.30.0.beta1

v0.4.0

v0.40.0

v0.5.0

v0.7.0

v0.70.0.rc2

v0.8.0

v0.8.1

v0.8.2

v1.*

v1.0.0.rc1

v1.0.0.rc2

v1.0.0.rc3

v1.2.0.rc1

v2.*

v2.4.0.rc1

v2.4.0.rc2

v2.4.0.rc3

v3.*

v3.0.0.rc1

v3.1.0.rc1

v3.2.0.rc1

v3.2.2

v3.3.0

v3.3.0.rc1

v3.3.0.rc2

v3.3.0.rc3

v3.3.0.rc4

v3.4.0

v3.4.0.rc1

v3.4.0.rc2

v3.5.0.rc1

v3.6.0.rc1

v3.7.0.beta

v3.7.0.rc1

v4.*

v4.0.0.beta

v4.1.0

v4.1.0.rc1

v4.1.0.rc2

v4.1.0.rc3

v4.10.0

v4.10.1

v4.2.0

v4.2.0.beta

v4.2.0.rc1

v4.2.0.rc2

v4.2.0.rc3

v4.2.0.rc4

v4.2.0.rc5

v4.3.0

v4.3.0.rc1

v4.3.0.rc2

v4.3.0.rc3

v4.4.0.rc1

v4.5.0

v4.6.0

v4.7.0

v4.8.0

v4.8.1

v4.8.2

v4.8.3

v4.9.0

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.1.7

v5.1.8

v5.2.0

v5.2.1

v5.2.2

v5.2.3

v5.2.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22589.json"