GHSA-h5gm-x9wr-vhcmMedium

Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.

Details

When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.

Vulnerable Code

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

An attacker can enumerate all coupon codes through automated requests.

Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.

🎯 Affected products2

  • composer/craftcms/commerce:>= 5.0.0, <= 5.6.4
  • composer/craftcms/commerce:>= 4.0.0, <= 4.11.1

🔗 References (3)