CVE-2026-31867— Craft Commerce has a Potential IDOR in Commerce carts
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-31867
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Craft Commerce has a Potential IDOR in Commerce carts
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. This vulnerability is fixed in 4.11.0 and 5.6.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Craft Commerce 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Craft Commerce是Craft CMS开源的一个电子商务平台。 Craft Commerce 4.11.0之前版本和5.6.0之前版本存在安全漏洞,该漏洞源于购物车功能缺少所有权验证,可能导致不安全的直接对象引用攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-31867
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-31867
请登录查看更多情报信息。
- Potential IDOR in Commerce carts · Advisory · craftcms/commerce · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-31867
Same Patch Batch · craftcms · 2026-03-11 · 4 CVEs total
| CVE-2026-31857 | CraftCMS has an RCE vulnerability via relational conditionals in the control panel | |
| CVE-2026-31859 | Craft has Reflective XSS via incomplete return URL sanitization | |
| CVE-2026-31858 | CraftCMS's `ElementSearchController` Affected by Blind SQL Injection |
IV. Related Vulnerabilities
Same product: commerce
- CVE-2026-32272
Craft Commerce: Blind SQL Injection via hasVariant/hasProduc - CVE-2026-32271
Craft Commerce: SQL Injection can lead to Remote Code Execut - CVE-2026-32270
Craft Commerce: Unauthenticated information disclosure in `c - CVE-2026-29177
Craft Commerce has Stored XSS in Craft Commerce Order Detail - CVE-2026-29176
Craft Commerce has Stored XSS in Inventory Location Name
Same vendor: craftcms
- CVE-2026-41130
Craft CMS has a host header injection leading to SSRF via re - CVE-2026-41129
Craft CMS has Server-Side Request Forgery (SSRF) with Asset - CVE-2026-41128
Craft CMS has a Missing Authorization Check on User Group Re - CVE-2026-32272
Craft Commerce: Blind SQL Injection via hasVariant/hasProduc - CVE-2026-32271
Craft Commerce: SQL Injection can lead to Remote Code Execut
Same weakness: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-44400
MailEnable Enterprise Premium < 10.55 Authorization Bypass v - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated
V. Comments for CVE-2026-31867
No comments yet