CVE-2026-32270 LOW

CVE-2026-32270: Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments

Vendor Craftcms

Product commerce

Weakness CWE-200 · Info exposure

Published April 13, 2026

Last update April 14, 2026

View on NVD All CVEs

CVSS base score

1.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.

Key dates

02Disclosure timeline

April 13, 2026 CVE published

April 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32270 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2026-32270

CWE CWE-200

CVSS 1.7 / LOW

Affected versions

Vendor Craftcms

Product commerce

Affected >= 4.0.0, < 4.11.0

Vendor Craftcms

Product commerce

Affected >= 5.0.0, < 5.6.0

CVE-2026-32270: Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments

01Description

02Disclosure timeline

03References

04Related CVE