CVE-2026-22588

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22588

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22588.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-22588

Aliases

GHSA-g268-72p7-9j6j

Published

2026-01-08T20:53:37.110Z

Modified

2026-01-15T05:48:06.769043Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Details

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22588.json",
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/spree/spree

Affected ranges

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

a100d2b1c9b264d1796b2433db002d12dddc32cc

Fixed

81d6c7d4e01dd9656c0907c954fb679983767b97

Database specific

{
    "versions": [
        {
            "introduced": "5.2.0"
        },
        {
            "fixed": "5.2.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

a8d7ad128ce7adabaea7e254803ac836fe88e154

Fixed

2ba1150da4d821bea3f49394c63430dddd35fd59

Database specific

{
    "versions": [
        {
            "introduced": "5.1.0"
        },
        {
            "fixed": "5.1.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

93f9cbef01f7afd5eee69d24e6f90fe261deff1e

Fixed

3e18ec0055a117b7a65a6f09226ddd823ede4ea3

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/spree/spree

Events

Introduced

Fixed

62e41d24e3f0b982f632d935b19291ecc967c42c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.10.2"
        }
    ]
}

Affected versions

v0.*

v0.11.0

v0.11.99

v0.2.0

v0.30.0.beta1

v0.4.0

v0.40.0

v0.5.0

v0.7.0

v0.70.0.rc2

v0.8.0

v0.8.1

v0.8.2

v1.*

v1.0.0.rc1

v1.0.0.rc2

v1.0.0.rc3

v1.2.0.rc1

v2.*

v2.4.0.rc1

v2.4.0.rc2

v2.4.0.rc3

v3.*

v3.0.0.rc1

v3.1.0.rc1

v3.2.0.rc1

v3.2.2

v3.3.0

v3.3.0.rc1

v3.3.0.rc2

v3.3.0.rc3

v3.3.0.rc4

v3.4.0

v3.4.0.rc1

v3.4.0.rc2

v3.5.0.rc1

v3.6.0.rc1

v3.7.0.beta

v3.7.0.rc1

v4.*

v4.0.0.beta

v4.1.0

v4.1.0.rc1

v4.1.0.rc2

v4.1.0.rc3

v4.10.0

v4.10.1

v4.2.0

v4.2.0.beta

v4.2.0.rc1

v4.2.0.rc2

v4.2.0.rc3

v4.2.0.rc4

v4.2.0.rc5

v4.3.0

v4.3.0.rc1

v4.3.0.rc2

v4.4.0.rc1

v4.5.0

v4.6.0

v4.7.0

v4.8.0

v4.8.1

v4.8.2

v4.8.3

v4.9.0

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.1.7

v5.1.8

v5.2.0

v5.2.1

v5.2.2

v5.2.3

v5.2.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22588.json"