Craft Commerce, an ecommerce platform built on Craft CMS, suffered from an authorization bypass vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability exists in the CartController component, which accepts a user-supplied 32-character 'number' parameter to load and modify shopping carts. Prior to versions 4.11.0 and 5.6.0, the system only verified that the order exists and is incomplete but did not validate whether the requester was authorized to access or modify the cart. This lack of ownership verification allows any attacker who can guess or obtain a valid cart number to hijack the shopping session, manipulate cart contents, and potentially access sensitive customer data including PII. The attack vector is network-based with no privileges or user interaction required, but the attack complexity is high due to the difficulty in guessing valid cart numbers. The vulnerability affects Craft Commerce versions from 4.0.0 up to but not including 4.11.0, and from 5.0.0 up to but not including 5.6.0. The issue was publicly disclosed in March 2026 and has a CVSS 4.0 score of 6.3, reflecting medium severity. No public exploits have been reported, but the risk remains significant for unpatched installations.

The primary impact of this vulnerability is unauthorized access to and manipulation of shopping carts, which can lead to session hijacking and unauthorized order modifications. Attackers could alter cart contents, potentially causing financial loss or disruption of ecommerce operations. Additionally, exposure of personally identifiable information (PII) stored within the cart or order details could lead to privacy violations and regulatory compliance issues such as GDPR or CCPA breaches. For organizations relying on Craft Commerce, this could damage customer trust and brand reputation. The vulnerability’s exploitation does not require authentication, increasing the risk of automated attacks or mass scanning for valid cart numbers. Although the attack complexity is high, the broad exposure of ecommerce platforms using affected versions worldwide means the potential impact is significant, especially for businesses with large customer bases or sensitive data in their shopping carts.

Organizations using Craft Commerce should immediately upgrade to versions 4.11.0 or 5.6.0 or later, where the vulnerability is patched. Until upgrades can be applied, implement strict access controls and monitoring on the CartController endpoints to detect and block suspicious requests with unusual cart number patterns. Employ rate limiting and anomaly detection to prevent brute-force guessing of cart numbers. Review and enhance logging to capture unauthorized access attempts for forensic analysis. Consider additional application-layer protections such as web application firewalls (WAFs) configured to identify and block exploitation attempts targeting cart manipulation. Conduct thorough audits of customer data access controls and ensure minimal PII is stored in shopping carts. Finally, educate development teams on secure coding practices to validate ownership and authorization for sensitive operations.