CVE-2026-32270: Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment.
The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address.
References
- github.com/advisories/GHSA-3vxg-x5f8-f5qf
- github.com/craftcms/commerce
- github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08
- github.com/craftcms/commerce/releases/tag/4.11.0
- github.com/craftcms/commerce/releases/tag/5.6.0
- github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf
- nvd.nist.gov/vuln/detail/CVE-2026-32270
Code Behaviors & Features
Detect and mitigate CVE-2026-32270 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →