CVE-2026-32270— Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments

Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.

N/A

信息暴露

Craft Commerce 安全漏洞

Craft Commerce是Craft CMS开源的一个电子商务平台。 Craft Commerce 4.0.0至4.10.2版本和5.0.0至5.5.4版本存在安全漏洞，该漏洞源于PaymentsController::actionPay在匿名支付期间电子邮件检查失败时向未经身份验证的用户泄露订单数据，可能导致客户电子邮件、送货地址和账单地址等敏感信息泄露。

N/A

N/A