Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.7
Craft CMS Commerce discloses order data to unauthorized users
CVE-2026-32270
GHSA-3vxg-x5f8-f5qf
GHSA-3vxg-x5f8-f5qf
Summary
Craft CMS Commerce versions 4.0.0 to 4.10.2 and 5.0.0 to 5.5.4 disclose sensitive order information to anyone who knows an order number, potentially exposing customer details. This is a concern for businesses that handle sensitive customer data. To protect your customers, update to versions 4.11.0 or 5.6.0, which fix this issue.
What to do
- Update craftcms commerce to version 5.6.0.
- Update craftcms commerce to version 4.11.0.
- Update craftcms craftcms/commerce to version 5.6.0.
- Update craftcms craftcms/commerce to version 4.11.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | craftcms | commerce |
>= 5.0.0, <= 5.5.4 >= 4.0.0, <= 4.10.2 Fix: upgrade to 5.6.0
|
| Packagist | craftcms | craftcms/commerce |
>= 5.0.0, < 5.6.0 >= 4.0.0, < 4.11.0 Fix: upgrade to 5.6.0
|
Original title
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
Original description
### Summary
`PaymentsController::actionPay` discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment.
The JSON error response includes the serialized order object (`order`), which contains some sensitive fields such as customer email, shipping address, and billing address.
### Details
I manually audited frontend payment flows and found that `actionPay()` retrieves orders by number before authorization is fully enforced.
Code path:
1. Load order by `number`.
2. Evaluate whether payment is authorized for completed orders (`number + matching email`).
3. If unauthorized, return failure.
4. Failure response still includes `cartArray($order)`, which serializes sensitive order data.
Why is this a vulnerability?
- Authorization logic says the requester is not allowed to pay for a completed order without an email.
- But the response still returns the same completed order’s contents.
### Impact
Type: Information Disclosure / Broken Access Control
Who is impacted:
- Any Commerce deployment where completed order numbers can be obtained or leaked.
`PaymentsController::actionPay` discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment.
The JSON error response includes the serialized order object (`order`), which contains some sensitive fields such as customer email, shipping address, and billing address.
### Details
I manually audited frontend payment flows and found that `actionPay()` retrieves orders by number before authorization is fully enforced.
Code path:
1. Load order by `number`.
2. Evaluate whether payment is authorized for completed orders (`number + matching email`).
3. If unauthorized, return failure.
4. Failure response still includes `cartArray($order)`, which serializes sensitive order data.
Why is this a vulnerability?
- Authorization logic says the requester is not allowed to pay for a completed order without an email.
- But the response still returns the same completed order’s contents.
### Impact
Type: Information Disclosure / Broken Access Control
Who is impacted:
- Any Commerce deployment where completed order numbers can be obtained or leaked.
nvd CVSS4.0
1.7
Vulnerability type
CWE-200
Information Exposure
CWE-862
Missing Authorization
- https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca...
- https://github.com/craftcms/commerce/releases/tag/4.11.0
- https://github.com/craftcms/commerce/releases/tag/5.6.0
- https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf
- https://nvd.nist.gov/vuln/detail/CVE-2026-32270
- https://github.com/advisories/GHSA-3vxg-x5f8-f5qf
- https://github.com/craftcms/commerce Product
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 13 Apr 2026