平台
php
组件
craftcms/commerce
修复版本
4.0.1
5.0.1
5.6.0
CVE-2026-32270 is an Information Disclosure vulnerability affecting Craft Commerce versions up to 5.5.4. An attacker can exploit this flaw to retrieve sensitive order data, including customer email addresses, shipping addresses, and billing addresses, by manipulating the order number during an anonymous payment process. The vulnerability stems from the PaymentsController::actionPay function failing to properly enforce authorization checks before retrieving order details. Upgrade to Craft Commerce version 5.6.0 to remediate this issue.
The primary impact of CVE-2026-32270 is the exposure of sensitive customer information. An attacker can craft a malicious request, providing a valid order number and triggering a scenario where the email check fails, leading to the disclosure of the serialized order object in the JSON error response. This object contains personally identifiable information (PII) such as email addresses, shipping addresses, and billing addresses. While the CVSS score is LOW, the potential for data breaches and privacy violations is significant, especially for e-commerce platforms handling sensitive customer data. The blast radius is limited to the exposed order data; however, this data can be used for targeted phishing attacks or identity theft.
CVE-2026-32270 was published on 2026-04-13. The vulnerability's severity is pending further evaluation beyond the initial CVSS 2.5 rating. Currently, there are no publicly known Proof-of-Concept (POC) exploits. It is not listed on KEV or EPSS, suggesting a low probability of immediate exploitation. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.
漏洞利用状态
EPSS
0.06% (19% 百分位)
CISA SSVC
The recommended mitigation for CVE-2026-32270 is to immediately upgrade Craft Commerce to version 5.6.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Implement stricter input validation on the number parameter in the PaymentsController::actionPay function to prevent manipulation. Consider using a Web Application Firewall (WAF) to filter requests containing suspicious order numbers or patterns. Monitor your application logs for unusual activity related to anonymous payments and order retrieval. After upgrading, confirm the fix by attempting to access order details with a manipulated order number and verifying that the error response no longer contains the serialized order object.
Actualice Craft Commerce a la versión 4.11.0 o superior, o a la versión 5.6.0 o superior para mitigar la vulnerabilidad de divulgación de información. Esta actualización corrige el problema al reforzar la autorización antes de recuperar los pedidos por número, evitando así la exposición de datos sensibles a usuarios no autenticados.
漏洞分析和关键警报直接发送到您的邮箱。
It's an Information Disclosure vulnerability in Craft Commerce (versions up to 5.5.4) allowing unauthenticated users to access sensitive order data like email addresses and shipping details.
If you're using Craft Commerce versions 5.5.4 or earlier, you are potentially affected by this vulnerability. Check your version immediately.
Upgrade to Craft Commerce version 5.6.0 or later to resolve the vulnerability. Consider temporary workarounds like stricter input validation if immediate upgrade isn't possible.
Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-32270, but monitoring is still advised.
Refer to the official Craft CMS security advisory and the CVE details on the NVD (National Vulnerability Database) for more information.