GHSA-p6pv-q7rc-g4h9

Unauthenticated users can view completed guest orders by Order ID (GHSL-2026-029)

The OrdersController#show action permits viewing completed guest orders by order number alone, without requiring the associated order token.

Order lookup without enforcing token requirement in OrdersController#show:

@order = complete_order_finder.new(number: params[:id], token: params[:token], store: current_store).execute.first

Authorization bypass for guest orders in authorize_access:

def authorize_access
  return true if @order.user_id.nil?

  @order.user == try_spree_current_user
end

If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. Alternatively, brute forcing all or parts of the possible Order IDs might be feasible for an attacker. (The Order IDs themselves are securely generated, but with relatively low entropy: by default an order ID has a length of 9 and a base of 10, that would require an attacker to perform 1 billion requests to gather all guest orders. (At an assumed constant rate of 100 requests per second it would take 115 days.)

Proof of Concept

1. As a guest create a complete order.
2. Fetch the latest Order ID from the database (Table: spree_orders).
3. In another clean browser access following URL: <SPREE-HOST>/orders/<ORDER-ID>. (Sample: http://localhost:3000/orders/R496592563)

=> Full guest order details are disclosed including names, addresses and limited payment info.

Impact

This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).

CWEs

• CWE-639: Authorization Bypass Through User-Controlled Key

Credit

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.