CVE-2026-31867 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability arises from the CartController accepting a user-supplied 32-character cart number parameter to load and modify shopping carts without verifying the requester's ownership or authorization. The system only checks if the order exists and is incomplete, allowing any attacker who can guess or obtain a valid cart number to hijack the shopping cart session. This can lead to unauthorized modification of cart contents and exposure of sensitive customer data, including personally identifiable information (PII). The vulnerability affects Craft Commerce versions from 4.0.0 up to but not including 4.11.0, and from 5.0.0 up to but not including 5.6.0. Exploitation does not require authentication or user interaction but has a high attack complexity due to the difficulty in guessing valid cart numbers. The CVSS 4.0 base score is 6.3, reflecting medium severity with network attack vector, no privileges required, and no user interaction needed. The flaw was publicly disclosed on March 11, 2026, and patches are available in versions 4.11.0 and 5.6.0. No known exploits in the wild have been reported to date.

This vulnerability allows attackers to hijack active shopping carts by guessing or obtaining the cart identifier, leading to unauthorized access and modification of incomplete orders. The exposure of personally identifiable information (PII) within these carts could result in privacy violations and regulatory non-compliance for affected organizations. Attackers could manipulate cart contents, potentially causing financial discrepancies or fraudulent transactions if combined with other weaknesses. The lack of ownership validation undermines the integrity and confidentiality of customer data and ecommerce operations. Organizations relying on vulnerable versions of Craft Commerce face risks of customer trust erosion, legal liabilities, and operational disruptions. Although exploitation complexity is high, the network-based attack vector and lack of authentication requirements increase the threat surface, especially for high-traffic ecommerce sites. The medium severity rating indicates a significant but not critical risk, emphasizing the need for timely patching to prevent potential abuse.

Organizations should immediately upgrade Craft Commerce to versions 4.11.0 or 5.6.0 or later, where this vulnerability is fixed. Until upgrades are applied, implement strict access controls and monitoring on the cart endpoints to detect unusual access patterns or repeated attempts to guess cart numbers. Employ rate limiting and IP reputation filtering to reduce the feasibility of brute-force attacks on cart identifiers. Review and enhance logging to capture all cart access and modification events for forensic analysis. Consider implementing additional application-layer authorization checks to verify user ownership of carts before allowing access or modification. Educate developers and administrators on secure coding practices to avoid similar IDOR vulnerabilities, including validating user permissions on all sensitive resources. Regularly audit ecommerce platform configurations and dependencies to ensure timely application of security patches. Finally, conduct penetration testing focused on authorization controls to identify and remediate any residual weaknesses.