CVE-2026-32270

UNKNOWN 0.0

Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

14th

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.

CWE	CWE-200 CWE-862
Vendor	craftcms
Product	commerce
Published	Apr 13, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms commerce

Be the first to know when new unknown vulnerabilities affecting craftcms commerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / commerce

>= 4.0.0, < 4.11.0 >= 5.0.0, < 5.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf github.com: https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08 github.com: https://github.com/craftcms/commerce/releases/tag/4.11.0 github.com: https://github.com/craftcms/commerce/releases/tag/5.6.0