Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rn35-cgp8-tfc1
Vulnerability ID VCID-rn35-cgp8-tfc1
Aliases CVE-2026-22589
GHSA-3ghg-3787-w2xr
Summary Spree API has Unauthenticated IDOR - Guest Address An Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-639 Authorization Bypass Through User-Controlled Key
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/spree/spree
https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795
https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad
https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67
https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad
CVE-2026-22589 https://nvd.nist.gov/vuln/detail/CVE-2026-22589
CVE-2026-22589.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_core/CVE-2026-22589.yml
GHSA-3ghg-3787-w2xr https://github.com/advisories/GHSA-3ghg-3787-w2xr
GHSA-3ghg-3787-w2xr https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:49:26.375584+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_core/CVE-2026-22589.yml 38.6.0