CVE-2026-40098: OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure

April 21, 2026 (updated April 27, 2026)

The shared wishlist add-to-cart endpoint authorizes access with a public sharing_code, but loads the acted-on wishlist item by a separate global wishlist_item_id and never verifies that the item belongs to the shared wishlist referenced by that code.

This lets an attacker use:

a valid shared wishlist code for wishlist A
a wishlist item ID belonging to victim wishlist B

to import victim item B into the attacker’s cart through the shared wishlist flow for wishlist A.

Because the victim item’s stored buyRequest is reused during cart import, the victim’s private custom-option data is copied into the attacker’s quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-40098 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →