CVE-2026-22589: Spree API has Unauthenticated IDOR - Guest Address
(updated )
An Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies.
References
- github.com/advisories/GHSA-3ghg-3787-w2xr
- github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_core/CVE-2026-22589.yml
- github.com/spree/spree
- github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795
- github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad
- github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67
- github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad
- github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr
- nvd.nist.gov/vuln/detail/CVE-2026-22589
Code Behaviors & Features
Detect and mitigate CVE-2026-22589 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →