VYPR
← All advisories
Medium severity6.9GHSA Advisory· Published Jun 19, 2026

Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass

CVE-2026-55795

Description

Summary

The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.

Details

When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.

Vulnerable Code

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

An attacker can enumerate all coupon codes through automated requests.

Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"The rate-limiter in CartController only activated when the 'number' parameter was present, leaving coupon-code submissions unthrottled."

Attack vector

An attacker sends repeated `POST` or `GET` requests to the `update-cart` action with a `couponCode` parameter but without a `number` parameter. Because the rate-limiter only activated when `'number'` was present, no throttling was applied, enabling brute-force enumeration of valid coupon codes. [CWE-307]

Affected code

The vulnerability resides in `CartController.php` where the `behaviors()` method's rate-limiting closure only checked for the `'number'` parameter, ignoring `'couponCode'`. This allowed unlimited coupon-code submissions when the `'number'` parameter was absent.

What the fix does

The patch introduces a `RATE_LIMITED_PARAMS` constant containing both `'number'` and `'couponCode'`, and changes the rate-limiting activation check to test whether any of these parameters are present. This ensures that coupon-code submissions are always rate-limited, closing the brute-force vector.

Preconditions

  • networkAttacker must be able to send HTTP requests to the `update-cart` action of the Craft Commerce CartController.
  • inputAttacker must submit a `couponCode` parameter without a `number` parameter.

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.