Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable guest-registration flow needs no auth or interaction (AV:N/AC:L/PR:N/UI:N); authentication bypass exposes and lets attacker alter account data (C:H/I:H) with no availability impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
AnalysisAI
Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Drupal Commerce site has the contributed Commerce Guest Registration module installed and enabled, with the guest checkout/registration flow reachable - this is the specific feature that must be deployed for the vulnerability to exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted guest-registration or guest-checkout request over the network, supplying the email address (or identifier) of an existing customer account. Because the module improperly verifies identity, the request is authenticated or linked as that victim, granting the attacker access to the victim's account or order/PII data without credentials or user interaction. … |
| Remediation | Consult Drupal advisory SA-CONTRIB-2026-079 (https://www.drupal.org/sa-contrib-2026-079) and upgrade the Commerce Guest Registration module to the fixed release listed there; the input data does not specify an exact fix version, so the patched version must be confirmed directly from that advisory (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: immediately identify whether your organization deployed Drupal Commerce Guest Registration module; if present, disable guest checkout functionality or the module entirely and escalate to the security and commerce teams. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43088
GHSA-5688-w7cj-j738