CVE-2026-32270: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in craftcms commerce
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.
AI Analysis
Technical Summary
Craft Commerce's PaymentsController::actionPay method in affected versions returns serialized order data in a JSON error response to unauthenticated users if an order number is provided and the email verification fails during an anonymous payment process. This leads to exposure of sensitive customer information such as email and addresses. The root cause is that the order is loaded by number prior to completing authorization checks. The vulnerability is identified as CWE-200 (Exposure of Sensitive Information) and CWE-862 (Missing Authorization). The flaw is resolved in Craft Commerce versions 4.11.0 and 5.6.0.
Potential Impact
Sensitive customer information including email, shipping address, and billing address can be exposed to unauthorized actors without authentication. The CVSS 4.0 score is low (1.7), reflecting limited impact and exploitability. There are no known exploits in the wild. The exposure could lead to privacy violations but does not allow modification or further system compromise based on the available data.
Mitigation Recommendations
Upgrade Craft Commerce to version 4.11.0 or later, or 5.6.0 or later, where this vulnerability has been fixed. No other mitigation or temporary workaround is indicated in the available data.
CVE-2026-32270: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in craftcms commerce
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Craft Commerce's PaymentsController::actionPay method in affected versions returns serialized order data in a JSON error response to unauthenticated users if an order number is provided and the email verification fails during an anonymous payment process. This leads to exposure of sensitive customer information such as email and addresses. The root cause is that the order is loaded by number prior to completing authorization checks. The vulnerability is identified as CWE-200 (Exposure of Sensitive Information) and CWE-862 (Missing Authorization). The flaw is resolved in Craft Commerce versions 4.11.0 and 5.6.0.
Potential Impact
Sensitive customer information including email, shipping address, and billing address can be exposed to unauthorized actors without authentication. The CVSS 4.0 score is low (1.7), reflecting limited impact and exploitability. There are no known exploits in the wild. The exposure could lead to privacy violations but does not allow modification or further system compromise based on the available data.
Mitigation Recommendations
Upgrade Craft Commerce to version 4.11.0 or later, or 5.6.0 or later, where this vulnerability has been fixed. No other mitigation or temporary workaround is indicated in the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-11T15:05:48.399Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd4f3582d89c981f535a6c
Added to database: 4/13/2026, 8:16:53 PM
Last enriched: 4/13/2026, 8:31:48 PM
Last updated: 4/15/2026, 1:26:02 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.