Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/spree_api@3.8
purl pkg:gem/spree_api@3.8
Tags Ghost
Next non-vulnerable version 4.10.3
Latest non-vulnerable version 5.3.2
Risk 4.0
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-yqz2-9hru-wkcs
Aliases:
CVE-2020-26223
GHSA-m2jr-hmc3-qmpr
Authorization bypass in Spree ### Impact The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
4.0.5
Affected by 2 other vulnerabilities.
4.1.12
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T16:14:51.895277+00:00 Ruby Importer Affected by VCID-yqz2-9hru-wkcs https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml 38.6.0