CVE-2026-32270
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
Description
### Summary `PaymentsController::actionPay` discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (`order`), which contains some sensitive fields such as customer email, shipping address, and billing address. ### Details I manually audited frontend payment flows and found that `actionPay()` retrieves orders by number before authorization is fully enforced. Code path: 1. Load order by `number`. 2. Evaluate whether payment is authorized for completed orders (`number + matching email`). 3. If unauthorized, return failure. 4. Failure response still includes `cartArray($order)`, which serializes sensitive order data. Why is this a vulnerability? - Authorization logic says the requester is not allowed to pay for a completed order without an email. - But the response still returns the same completed order’s contents. ### Impact Type: Information Disclosure / Broken Access Control Who is impacted: - Any Commerce deployment where completed order numbers can be obtained or leaked.
How to fix CVE-2026-32270
To remediate CVE-2026-32270, upgrade the affected package to a fixed version below.
- —upgrade to 5.6.0 or later
Is CVE-2026-32270 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.0.0, < 5.6.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |