Skip to main content

Drupal Commerce EUVDEUVD-2026-43088

| CVE-2026-15089 CRITICAL
Improper Authentication (CWE-287)
2026-07-10 drupal GHSA-5688-w7cj-j738
9.1
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

Network-reachable guest-registration flow needs no auth or interaction (AV:N/AC:L/PR:N/UI:N); authentication bypass exposes and lets attacker alter account data (C:H/I:H) with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:33 vuln.today
CVSS changed
Jul 13, 2026 - 19:22 NVD
9.1 (CRITICAL)
CVE Published
Jul 10, 2026 - 21:54 cve.org
CRITICAL 9.1
CVE Published
Jul 10, 2026 - 21:54 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.

AnalysisAI

Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach guest registration endpoint
Exploit
Submit crafted registration for victim identity
Execution
Bypass authentication check (CWE-287)
Impact
Gain access to victim account/order data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Drupal Commerce site has the contributed Commerce Guest Registration module installed and enabled, with the guest checkout/registration flow reachable - this is the specific feature that must be deployed for the vulnerability to exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted guest-registration or guest-checkout request over the network, supplying the email address (or identifier) of an existing customer account. Because the module improperly verifies identity, the request is authenticated or linked as that victim, granting the attacker access to the victim's account or order/PII data without credentials or user interaction. …
Remediation Consult Drupal advisory SA-CONTRIB-2026-079 (https://www.drupal.org/sa-contrib-2026-079) and upgrade the Commerce Guest Registration module to the fixed release listed there; the input data does not specify an exact fix version, so the patched version must be confirmed directly from that advisory (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: immediately identify whether your organization deployed Drupal Commerce Guest Registration module; if present, disable guest checkout functionality or the module entirely and escalate to the security and commerce teams. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy