Improper Authorization in spree_api - CVE-2020-15269
Published: October 20, 2020 / Updated: April 27, 2026
Vulnerability identifier: #VU128100
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-15269
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
spree_api
spree_api
Software vendor:
Spree Commerce
Spree Commerce
Description
The vulnerability allows a remote user to gain unauthorized access to Storefront API v2 endpoints.
The vulnerability exists due to improper access control in API v2 authentication when handling requests with an expired doorkeeper token. A remote user can present a previously obtained expired user token to gain unauthorized access to Storefront API v2 endpoints.
The issue affects authentication of requests to Storefront API v2 endpoints using old expired user tokens.
Remediation
Install security update from vendor's website.