CVE-2026-31867: Craft Commerce: Potential IDOR in Commerce carts

March 10, 2026 (updated March 11, 2026)

An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.

References

github.com/advisories/GHSA-vff3-pqq8-4cpq
github.com/craftcms/commerce
github.com/craftcms/commerce/pull/4207
github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq
nvd.nist.gov/vuln/detail/CVE-2026-31867

Code Behaviors & Features

Detect and mitigate CVE-2026-31867 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →