7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22589

CVE-2026-22589: Spree API has Unauthenticated IDOR - Guest Address

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22589

CVE-2026-22589:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
spree_core	rubygems	>= 4.0.0, < 4.10.2	4.10.2
spree_core	rubygems	>= 5.0.0, < 5.0.7	5.0.7
spree_core	rubygems	>= 5.1.0, < 5.1.9	5.1.9
spree_core	rubygems	>= 5.2.0, < 5.2.5	5.2.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an Insecure Direct Object Reference (IDOR) in the Spree storefront that allows an unauthenticated attacker to access and manage the addresses of guest users. The root cause is a faulty authorization check in the Spree::Ability class (and Spree::PermissionSets::DefaultCustomer in some versions). The rule can :manage, ::Spree::Address, user_id: user.id was applied to guest users, for whom the user.id is nil. This allowed any guest to manage any address where the user_id was also nil, which corresponds to addresses created by other guests. The exploit occurs when an attacker makes a request to endpoints in Spree::AddressesController, such as /addresses/{id}/edit. The patch addresses the root cause by adding a user.persisted? check, ensuring the rule only applies to authenticated, registered users. It also adds a defense-in-depth measure by requiring authentication for all actions in the Spree::AddressesController via a before_action :require_user.

Vulnerable functions

Spree::AddressesController.edit

storefront/app/controllers/spree/addresses_controller.rb

This controller action was accessible to unauthenticated users. Due to a flaw in the authorization logic in `Spree::Ability`, an attacker could call this endpoint with the ID of any guest user's address to view and retrieve sensitive Personally Identifiable Information (PII).

Spree::AddressesController.update

storefront/app/controllers/spree/addresses_controller.rb

This controller action was accessible to unauthenticated users, allowing them to modify the address details of any guest user by exploiting the Insecure Direct Object Reference (IDOR) vulnerability.

Spree::AddressesController.destroy

storefront/app/controllers/spree/addresses_controller.rb

This controller action was accessible to unauthenticated users, which would allow an attacker to delete the addresses of other guest users.

Spree::Ability.apply_user_permissions

core/app/models/spree/ability.rb

This method is the root cause of the vulnerability. It incorrectly defined permissions for guest users (who are not persisted and have a `nil` user ID), granting them the ability to manage any address with a `nil` user_id, which includes all other guest addresses.

Spree::PermissionSets::DefaultCustomer.activate!

core/app/models/spree/permission_sets/default_customer.rb

In some versions of Spree, this method also contained the same flawed authorization logic as `Spree::Ability.apply_user_permissions`. It incorrectly granted permissions to guest users, contributing to the IDOR vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22589: Spree API has Unauthenticated IDOR - Guest Address

CVE-2026-22589:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2026-22589: Spree API has Unauthenticated IDOR - Guest Address

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI