CVE-2026-32270
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/commercePackagist | >= 5.0.0, < 5.6.0 | 5.6.0 |
craftcms/commercePackagist | >= 4.0.0, < 4.11.0 | 4.11.0 |
Affected products
1Patches
148a5d9464199Remove order data from failed email check on payment
2 files changed · +2 −3
CHANGELOG.md+1 −0 modified@@ -3,6 +3,7 @@ ## Unreleased - Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SQL injection vulnerability in the control panel. (GHSA-875v-7m49-8x88) +- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) Information disclosure vulnerability in payment controller action. (GHSA-3vxg-x5f8-f5qf) ## 4.10.2 - 2026-02-09
src/controllers/PaymentsController.php+1 −3 modified@@ -141,9 +141,7 @@ public function actionPay(): ?Response if (!$order->getIsActiveCart() && !$checkPaymentCanBeMade) { $error = Craft::t('commerce', 'Email required to make payments on a completed order.'); - return $this->asFailure($error, data: [ - $this->_cartVariableName => $this->cartArray($order), - ]); + return $this->asFailure($error); } if ($plugin->getSettings()->requireShippingAddressAtCheckout && !$order->shippingAddressId) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3vxg-x5f8-f5qfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32270ghsaADVISORY
- github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08nvdWEB
- github.com/craftcms/commerce/releases/tag/4.11.0nvdWEB
- github.com/craftcms/commerce/releases/tag/5.6.0nvdWEB
- github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qfnvdWEB
News mentions
11- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- SAP Patches Critical S/4HANA, Commerce VulnerabilitiesSecurityWeek · May 12, 2026
- SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANABleepingComputer · May 12, 2026
- The 2026 World Cup scam economy is already running before the first whistleMalwarebytes Labs · May 4, 2026
- Two cybersecurity pros get prison time for helping ransomware gangHelp Net Security · May 4, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 17SentinelOne Labs · Apr 24, 2026
- Medical data of 500,000 UK volunteers listed for sale on AlibabaMalwarebytes Labs · Apr 24, 2026
- Introducing the Agent Readiness score. Is your site agent-ready?Cloudflare Blog · Apr 17, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026
- Microsoft Patch Tuesday, March 2026 EditionKrebs on Security · Mar 11, 2026
- Is Poshmark safe? How to buy and sell without getting scammedESET WeLiveSecurity · Feb 19, 2026