Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments

🗓️ 14 Apr 2026 01:01:17Reported by GitHub Advisory DatabaseType

Unauthenticated disclosure of completed order data via payments actionPay with order number and failed email check.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-32270	13 Apr 202620:08	–	attackerkb
CNNVD	Craft Commerce 安全漏洞	13 Apr 202600:00	–	cnnvd
CVE	CVE-2026-32270	13 Apr 202620:08	–	cve
Cvelist	CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments	13 Apr 202620:08	–	cvelist
EUVD	EUVD-2026-22073	14 Apr 202601:01	–	euvd
NVD	CVE-2026-32270	13 Apr 202620:16	–	nvd
OSV	GHSA-3VXG-X5F8-F5QF Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments	14 Apr 202601:01	–	osv
Positive Technologies	PT-2026-32511	13 Apr 202600:00	–	ptsecurity
Snyk	Missing Authorization	13 Apr 202621:13	–	snyk
Vulnrichment	CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments	13 Apr 202620:08	–	vulnrichment

Vulners

Node

craftcms craft_commerceRange4.0.0–4.10.2composer

craftcms craft_commerceRange5.0.0–5.5.4composer

Source	Link
github	www.github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-32270
github	www.github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08
github	www.github.com/craftcms/commerce/releases/tag/4.11.0
github	www.github.com/craftcms/commerce/releases/tag/5.6.0
github	www.github.com/advisories/GHSA-3vxg-x5f8-f5qf

14 Apr 2026 01:01Current

5.8Medium risk

Vulners AI Score5.8

CVSS 46.3

EPSS0.0009

SSVC