Auth bypass in Craftcms Commerce

CVE-2026-32270

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the…

Vulnerability class: Information Disclosure

EPSS: 0.001 (25.5th percentile) — read the EPSS interpretation.

Affected products

Craftcms Commerce — versions >= 4.0.0, < 4.11.0, >= 5.0.0, < 5.6.0

Weakness classification (CWE)

References

https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf (x_refsource_CONFIRM)
https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08 (x_refsource_MISC)
https://github.com/craftcms/commerce/releases/tag/4.11.0 (x_refsource_MISC)
https://github.com/craftcms/commerce/releases/tag/5.6.0 (x_refsource_MISC)