Platform
php
Component
craftcms/commerce
Fixed in
4.0.1
5.0.1
5.6.0
CVE-2026-32270 is an Information Disclosure vulnerability affecting Craft Commerce versions up to 5.5.4. An attacker can exploit this flaw to retrieve sensitive order data, including customer email addresses, shipping addresses, and billing addresses, by manipulating the order number during an anonymous payment process. The vulnerability stems from the PaymentsController::actionPay function failing to properly enforce authorization checks before retrieving order details. Upgrade to Craft Commerce version 5.6.0 to remediate this issue.
The primary impact of CVE-2026-32270 is the exposure of sensitive customer information. An attacker can craft a malicious request, providing a valid order number and triggering a scenario where the email check fails, leading to the disclosure of the serialized order object in the JSON error response. This object contains personally identifiable information (PII) such as email addresses, shipping addresses, and billing addresses. While the CVSS score is LOW, the potential for data breaches and privacy violations is significant, especially for e-commerce platforms handling sensitive customer data. The blast radius is limited to the exposed order data; however, this data can be used for targeted phishing attacks or identity theft.
CVE-2026-32270 was published on 2026-04-13. The vulnerability's severity is pending further evaluation beyond the initial CVSS 2.5 rating. Currently, there are no publicly known Proof-of-Concept (POC) exploits. It is not listed on KEV or EPSS, suggesting a low probability of immediate exploitation. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-32270 is to immediately upgrade Craft Commerce to version 5.6.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Implement stricter input validation on the number parameter in the PaymentsController::actionPay function to prevent manipulation. Consider using a Web Application Firewall (WAF) to filter requests containing suspicious order numbers or patterns. Monitor your application logs for unusual activity related to anonymous payments and order retrieval. After upgrading, confirm the fix by attempting to access order details with a manipulated order number and verifying that the error response no longer contains the serialized order object.
Update Craft Commerce to version 4.11.0 or higher, or to version 5.6.0 or higher to mitigate the information disclosure vulnerability. This update corrects the issue by strengthening authorization before retrieving orders by number, thus preventing the exposure of sensitive data to unauthenticated users.
Vulnerability analysis and critical alerts directly to your inbox.
It's an Information Disclosure vulnerability in Craft Commerce (versions up to 5.5.4) allowing unauthenticated users to access sensitive order data like email addresses and shipping details.
If you're using Craft Commerce versions 5.5.4 or earlier, you are potentially affected by this vulnerability. Check your version immediately.
Upgrade to Craft Commerce version 5.6.0 or later to resolve the vulnerability. Consider temporary workarounds like stricter input validation if immediate upgrade isn't possible.
Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-32270, but monitoring is still advised.
Refer to the official Craft CMS security advisory and the CVE details on the NVD (National Vulnerability Database) for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.