Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-yqz2-9hru-wkcs
Vulnerability ID VCID-yqz2-9hru-wkcs
Aliases CVE-2020-26223
GHSA-m2jr-hmc3-qmpr
Summary Authorization bypass in Spree ### Impact The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2020-26223
cvssv3.1 7.7 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
cvssv3.1 7.7 https://github.com/spree/spree
generic_textual HIGH https://github.com/spree/spree
cvssv3.1 7.7 https://github.com/spree/spree/pull/10573
generic_textual HIGH https://github.com/spree/spree/pull/10573
cvssv3 7.7 https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
cvssv3.1 7.7 https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
generic_textual HIGH https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
cvssv3.1 7.7 https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
generic_textual HIGH https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
cvssv3.1 7.7 https://nvd.nist.gov/vuln/detail/CVE-2020-26223
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-26223
cvssv3.1 7.7 https://rubygems.org/gems/spree_api/versions
generic_textual HIGH https://rubygems.org/gems/spree_api/versions
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-26223
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
https://github.com/spree/spree
https://github.com/spree/spree/pull/10573
https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
https://rubygems.org/gems/spree_api/versions
CVE-2020-26223 https://nvd.nist.gov/vuln/detail/CVE-2020-26223
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/spree/spree
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/spree/spree/pull/10573
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-26223
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://rubygems.org/gems/spree_api/versions
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.50355
EPSS Score 0.00267
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:14:51.890998+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml 38.6.0