Executive Summary
CVE-2026-39079 is a high-severity information disclosure vulnerability affecting the PrestaShop upsshipping module in all versions through 2.4.0. A remote attacker with network access to the affected PrestaShop installation can retrieve sensitive configuration data — including UPS API credentials, shipping logs, and internal application parameters — by directly accessing two exposed components:
/modules/upsshipping/logs/— a publicly accessible log directory/modules/upsshipping/lib/UPSBaseApi.php— a PHP library file containing sensitive API configuration
The vulnerability received a CVSS v3.1 score of 7.5 (High) and was published to the NVD on May 18, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-39079 |
| CVSS Score | 7.5 (High) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CWE | CWE-200 — Exposure of Sensitive Information to Unauthorized Actor |
| Affected Software | PrestaShop upsshipping module ≤ 2.4.0 |
| Attack Vector | Network (unauthenticated HTTP request) |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
| Published | May 18, 2026 |
Technical Analysis
Vulnerable Components
The upsshipping module for PrestaShop fails to restrict direct web access to two sensitive paths:
1. /modules/upsshipping/logs/
The module writes shipping transaction logs to a directory within the web root without any access controls. An unauthenticated remote attacker can browse or retrieve these log files directly via HTTP, exposing:
- UPS shipment tracking numbers and customer data
- Internal order identifiers and shipping addresses
- API request/response content including authentication headers
- Error messages containing internal server paths and configuration details
2. /modules/upsshipping/lib/UPSBaseApi.php
Direct HTTP access to this PHP library file may expose configuration constants, hardcoded or dynamically referenced API credentials, endpoint URLs, and integration parameters embedded in the source.
Attack Scenario
1. Attacker identifies a PrestaShop store running the upsshipping module
(version fingerprinting via module directory listing or HTTP headers)
2. Attacker directly requests:
GET /modules/upsshipping/logs/ HTTP/1.1
— Retrieves directory listing or log file contents
3. Attacker downloads log files containing UPS API credentials,
customer PII, order data, and internal server details
4. Optional: Direct access to UPSBaseApi.php to enumerate
hardcoded configuration values
5. Attacker leverages stolen UPS API credentials for:
— Package interception or shipping fraud
— Customer address harvesting for phishing
— Order manipulationWhy CVSS 7.5
The score reflects:
- No authentication required — any network-accessible attacker can exploit the flaw
- No user interaction — fully automated exploitation
- High confidentiality impact — API credentials and customer PII are exposed
- No integrity or availability impact — read-only information leak
Impact Assessment
| Impact Area | Description |
|---|---|
| UPS API Credential Theft | Stolen API keys can be used to create fraudulent shipments, void labels, or abuse the UPS account |
| Customer PII Exposure | Shipping logs contain names, addresses, and order details of customers |
| Order Data Leakage | Internal order IDs and product details visible to competitors or attackers |
| Regulatory Risk | Exposure of customer PII may trigger GDPR, CCPA, or PCI-DSS incident obligations |
| Secondary Attack Surface | Log data reveals internal server paths, enabling targeted path traversal or injection attacks |
Affected Versions
All versions of the PrestaShop upsshipping module through 2.4.0 are confirmed affected. The module is available via the PrestaShop Addons Marketplace and is used by e-commerce merchants to integrate UPS shipping rates and label generation into their stores.
Remediation
Step 1: Immediately Restrict Web Access to Vulnerable Paths
Add the following rules to your .htaccess file in the PrestaShop root or directly in the module directory:
# Block direct web access to upsshipping logs and library
<IfModule mod_rewrite.c>
RewriteRule ^modules/upsshipping/logs/ - [F,L]
RewriteRule ^modules/upsshipping/lib/ - [F,L]
</IfModule>Or create a .htaccess file directly inside /modules/upsshipping/logs/:
Order deny,allow
Deny from allFor Nginx-based installations, add to your server block:
location ~* ^/modules/upsshipping/(logs|lib)/ {
deny all;
return 403;
}Step 2: Rotate UPS API Credentials
If the module has been running on a publicly accessible store, assume API credentials stored in logs or configuration files are compromised:
- Log in to your UPS Developer Portal
- Rotate or regenerate all API keys associated with the integration
- Update the new credentials in PrestaShop's module configuration
- Review your UPS account for unauthorized shipment creation or label generation
Step 3: Review and Archive Existing Log Files
# Locate log files written by the module
find /path/to/prestashop/modules/upsshipping/logs/ -name "*.log" -o -name "*.txt"
# Archive logs for forensic review, then remove from web root
tar czf upsshipping-logs-$(date +%Y%m%d).tar.gz /path/to/prestashop/modules/upsshipping/logs/
rm -rf /path/to/prestashop/modules/upsshipping/logs/*
# Redirect future logs to a non-web-accessible path
# (requires module configuration or code modification)Step 4: Update or Replace the Module
- Check the PrestaShop Addons Marketplace for an updated version of upsshipping that addresses this vulnerability
- If no patch is available, consider replacing the module with an alternative UPS integration that follows secure coding practices (logs outside the web root, no direct file access to library components)
Detection: Signs of Exploitation
Review your web server access logs for requests to the vulnerable paths:
# Check Apache/Nginx access logs for exploitation attempts
grep -E "upsshipping/(logs|lib)" /var/log/apache2/access.log
grep -E "upsshipping/(logs|lib)" /var/log/nginx/access.log
# Look for directory listing requests (status 200 on directory paths)
grep "upsshipping/logs" /var/log/apache2/access.log | grep " 200 "
# Check for log file downloads
grep "upsshipping/logs/.*\.log" /var/log/apache2/access.log | grep " 200 "Any successful (HTTP 200) requests to /modules/upsshipping/logs/ or /modules/upsshipping/lib/ from non-administrative IP addresses should be treated as potential exploitation.
Remediation Checklist
- Block direct HTTP access to
/modules/upsshipping/logs/and/modules/upsshipping/lib/via web server configuration - Rotate UPS API credentials immediately
- Audit existing log files for customer PII and archive them outside the web root
- Update the upsshipping module to a patched version when available
- Review UPS account activity for unauthorized API usage
- Assess whether a GDPR/CCPA breach notification is required based on log contents
- Verify no other PrestaShop module directories are publicly browsable