Auth bypass in Craftcms Commerce

CVE-2026-31867

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowi…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (22.0th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0, < 4.11.0, >= 5.0.0, < 5.6.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/pull/4207 (x_refsource_MISC)