Craft Commerce
CVE-2026-31867
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
AnalysisAI
Craft Commerce versions prior to 4.11.0 and 5.6.0 contain an IDOR vulnerability in the cart functionality that allows unauthenticated attackers to access and modify arbitrary shopping carts by guessing or knowing their 32-character identifiers. The CartController fails to validate cart ownership, enabling attackers to hijack active shopping sessions and potentially access sensitive customer information. No patch is currently available for affected versions.
Technical ContextAI
This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) affects Craft Commerce is an ecommerce platform for Craft CMS.. Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester h
RemediationAI
Fixed in version 4.11.0.
More in Craft Commerce
View allSQL injection in Craft Commerce's purchasables endpoint allows authenticated attackers to manipulate the sort parameter
Craft Commerce versions prior to 5.5.3 contain an SQL injection vulnerability in the inventory levels endpoint where sor
Craft Commerce versions before 5.5.3 contain stored cross-site scripting (XSS) vulnerabilities in the inventory manageme
Stored XSS in Craft Commerce's Order Status History Message (versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1)
Stored XSS in Craft Commerce Order details allows authenticated users to inject malicious scripts through Shipping Metho
Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with h
Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with h
Stored XSS in Craft Commerce versions 5.0.0 through 5.5.1 permits authenticated attackers with administrative privileges
Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p
Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored DOM-based XSS vulnerability in
Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p
Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vff3-pqq8-4cpq