CVE-2026-32270: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in craftcms commerce
A vulnerability in Craft Commerce versions 4. 0. 0 through 4. 10. 2 and 5. 0. 0 through 5. 5. 4 allows exposure of sensitive order information to unauthenticated users. The PaymentsController::actionPay endpoint discloses serialized order data, including customer email and addresses, when an order number is provided and the email verification fails during an anonymous payment attempt.
AI Analysis
Technical Summary
CVE-2026-32270 is an information exposure vulnerability in Craft Commerce's PaymentsController::actionPay method. In affected versions, the system returns a JSON error response containing the serialized order object with sensitive fields such as customer email, shipping address, and billing address to unauthenticated users if an order number is provided and the email check fails during an anonymous payment. This happens because the order is loaded by number before authorization checks are completed. The vulnerability is addressed in Craft Commerce versions 4.11.0 and 5.6.0.
Potential Impact
Sensitive customer information including email and addresses can be disclosed to unauthorized actors through the payment endpoint. This exposure could lead to privacy violations and potential misuse of customer data. The CVSS score is low (1.7), indicating limited impact and exploitability.
Mitigation Recommendations
Upgrade Craft Commerce to version 4.11.0 or later, or 5.6.0 or later, where this vulnerability is fixed. No other mitigation is indicated or required as the fix is available in these versions.
CVE-2026-32270: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in craftcms commerce
Description
A vulnerability in Craft Commerce versions 4. 0. 0 through 4. 10. 2 and 5. 0. 0 through 5. 5. 4 allows exposure of sensitive order information to unauthenticated users. The PaymentsController::actionPay endpoint discloses serialized order data, including customer email and addresses, when an order number is provided and the email verification fails during an anonymous payment attempt.
CVSS v4.0
Score 1.7low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-32270 is an information exposure vulnerability in Craft Commerce's PaymentsController::actionPay method. In affected versions, the system returns a JSON error response containing the serialized order object with sensitive fields such as customer email, shipping address, and billing address to unauthenticated users if an order number is provided and the email check fails during an anonymous payment. This happens because the order is loaded by number before authorization checks are completed. The vulnerability is addressed in Craft Commerce versions 4.11.0 and 5.6.0.
Potential Impact
Sensitive customer information including email and addresses can be disclosed to unauthorized actors through the payment endpoint. This exposure could lead to privacy violations and potential misuse of customer data. The CVSS score is low (1.7), indicating limited impact and exploitability.
Mitigation Recommendations
Upgrade Craft Commerce to version 4.11.0 or later, or 5.6.0 or later, where this vulnerability is fixed. No other mitigation is indicated or required as the fix is available in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-11T15:05:48.399Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd4f3582d89c981f535a6c
Added to database: 4/13/2026, 8:16:53 PM
Last enriched: 4/21/2026, 6:19:28 AM
Last updated: 6/3/2026, 9:17:16 AM
Views: 91
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.