Spree Commerce logo

Spree Commerce

Open-source headless ecommerce platform with a REST API and Next.js storefront

Alternative to: Shopify, Magento, WooCommerce, Salesforce Commerce Cloud

Spree Commerce screenshot

About Versions (100)

v4.10.2

2026-01-08

This is a security patch release addressing two IDOR (Insecure Direct Object Reference) vulnerabilities. All users are strongly encouraged to upgrade immediately.

Security Fixes

High: Unauthenticated IDOR - Guest Address Exposure (GHSA-3ghg-3787-w2xr)

Moderate: Authenticated IDOR via Order Modification (GHSA-g268-72p7-9j6j)

Supported Versions

Security patches are available for all currently supported Spree versions:

VersionPatched ReleaseEOL Date
5.05.0.7March 2028
4.104.10.2September 2027

If you’re running an unsupported version, please upgrade as soon as possible. Unsupported versions will not receive security patches. Need help upgrading? Contact the Spree team.

Upgrade

bundle update

Acknowledgements

We would like to thank XBOW researchers who responsibly disclosed these vulnerabilities.