DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32270: CVE-2026-32270: Information Disclosure in Craft Commerce Payments Controller

#security #cve #cybersecurity

CVE-2026-32270: Information Disclosure in Craft Commerce Payments Controller

Vulnerability ID: CVE-2026-32270
CVSS Score: 1.7
Published: 2026-04-14

CVE-2026-32270 is an Information Disclosure vulnerability affecting Craft Commerce, a popular ecommerce extension for the Craft CMS ecosystem. The flaw resides in the payment processing endpoint where the system correctly blocks unauthorized payment attempts but incorrectly attaches the full serialized order entity to the resulting JSON error response. Unauthenticated attackers can exploit this behavior by supplying a valid order number, bypassing intended authorization controls to extract sensitive Personally Identifiable Information (PII) including customer emails, physical addresses, and purchase histories.

TL;DR

Craft Commerce versions 4.x before 4.11.0 and 5.x before 5.6.0 expose sensitive order data to unauthenticated actors. By submitting a valid order number to the payment endpoint and intentionally failing the authorization check, an attacker forces the application to leak the serialized cart array containing comprehensive customer PII within the error response payload.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862, CWE-200
  • Attack Vector: Network
  • Authentication Required: None
  • CVSS 4.0 Score: 1.7 (Low)
  • Impact: Confidentiality (PII Leak)
  • Exploit Status: PoC Available
  • Pre-requisite: Valid Order Number

Affected Systems

  • Craft Commerce 4.x
  • Craft Commerce 5.x
  • Craft CMS
  • Craft Commerce: >= 4.0.0, < 4.11.0 (Fixed in: 4.11.0)
  • Craft Commerce: >= 5.0.0, < 5.6.0 (Fixed in: 5.6.0)

Code Analysis

Commit: 48a5d94

Fix information disclosure in PaymentsController by removing cart array from failure response.

Mitigation Strategies

  • Upgrade Craft Commerce to the latest patch release (4.11.0 or 5.6.0).
  • Implement high-entropy, non-sequential order numbers to prevent enumeration.
  • Deploy WAF rules to inspect and sanitize overly verbose JSON error responses.

Remediation Steps:

  1. Backup the Craft CMS database and codebase.
  2. Use Composer to update Craft Commerce: composer require craftcms/commerce:^4.11.0 or ^5.6.0.
  3. Run database migrations via the Craft control panel or CLI: php craft migrate/all.
  4. Verify the fix by attempting to access a known completed order number without email credentials and ensuring the response payload does not contain PII.

References

Read the full report for CVE-2026-32270 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)