High severityNVD Advisory· Published Feb 6, 2026· Updated Feb 9, 2026
Unauthenticated Spree Commerce users can view completed guest orders by Order ID
CVE-2026-25757
Description
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
spree_storefrontRubyGems | < 5.0.8 | 5.0.8 |
spree_storefrontRubyGems | >= 5.1.0, < 5.1.10 | 5.1.10 |
spree_storefrontRubyGems | >= 5.2.0, < 5.2.7 | 5.2.7 |
spree_storefrontRubyGems | >= 5.3.0, < 5.3.2 | 5.3.2 |
Affected products
2Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-p6pv-q7rc-g4h9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25757ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_storefront/CVE-2026-25757.ymlghsaWEB
- github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rbghsax_refsource_MISCWEB
- github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rbghsax_refsource_MISCWEB
- github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rbghsax_refsource_MISCWEB
- github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfabghsax_refsource_MISCWEB
- github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1beghsax_refsource_MISCWEB
- github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384dghsax_refsource_MISCWEB
- github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1adghsax_refsource_MISCWEB
- github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9ghsax_refsource_CONFIRMWEB
News mentions
1- How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered frameworkGitHub Security Lab · Mar 6, 2026