Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058

Project:

Commerce Realex / Global Payments

Date:

2026-June-24

Security risk:

Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

Vulnerability:

Access Bypass

Affected versions:

<3.0.2

CVE IDs:

CVE-2026-13238

Description:

This module enables you to take payments through the Global Payments / Realex Hosted Payment Page (HPP), either via a lightbox iframe or via a full-page redirect.

When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment response returned by Global Payments.

The lightbox payment method validates the signature and is not affected, so sites that use the lightbox payment method are not affected.

Solution:

Install the latest version:

If you use the commerce_realex module <=3.0.1, upgrade to commerce_realex 3.0.2.

The redirect payment response is now cryptographically verified against the merchant shared secret .

Sites that cannot update immediately should disable this payment gateway, until the update can be applied.

Reported By:

Bill Seremetis (bserem)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community