CVE-2026-8737

Root

Cause

The vulnerability resides in the TradeAddressListDirective and related endpoints within PublicCMS's trade module. These directives inherit from AbstractTemplateDirective but fail to override needAppToken() or needUserToken(), leaving the endpoints accessible without any authentication or authorization checks [1]. As a result, an unauthenticated attacker can query address data belonging to arbitrary users by supplying a userId or address id parameter.

Attack

Vector

The attack is performed remotely by sending crafted GET requests to the following endpoints: - /api/directive/trade/addressList?userId=<target>&pageSize=20 - /api/directive/trade/address?id=<target>

No cookies, session tokens, or authentication headers are required. The server responds with HTTP 200 and returns the full TradeAddress entity, including sensitive fields such as address, addressee, telephone, and userId [1].

Impact

An unauthenticated attacker can enumerate user IDs and retrieve the shipping addresses, recipient names, and phone numbers of any user in the system. This constitutes a severe privacy breach and could be used for targeted phishing, identity theft, or physical harassment. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released. Users of PublicCMS 5.202506.d should implement network-level restrictions (e.g., firewall rules) to block external access to the /api/directive/trade/ endpoints, or apply custom authentication logic by overriding the token-check methods in the affected directives [1].