Hashed User Password Returns With Order Data

CS-Cart 4.15.x here.

When you pull the detail of an order from API, user password is contained in the returned JSON data. (See the attachment.)

I don't see anything about this in the docs. The only place where the document mentions about the password field is user creation. Even if it was intended, why would we need user password hash in the order data set?

I think there is something wrong here.


Show this screenshot and the query you are doing through the REST API.

Best regards


Nothing special, just a simple GET request to this endpoint: example.com/api/2.0/orders/1055 (And if you wonder if this is about only API 2.0, it's not. /api/ endpoint also returns the same subset. Nonetheless, request and response screenshot is attached.



This may also happen because you have a relatively old version of CS-Cart installed. I checked on the newest release (4.15.2) and API call to orders resource does not return any information about user password hash.

Best regards,


Sorry, my first post didn't note the version correctly. It is not old, rather it is the newest now. CS-Cart 4.15.1.SP2

Post the issue to the bug tracker. It looks like a bug

Thank you for your report.

I was able to reproduce this issue and forwarded it to the developers. As soon as there will be the solution, I will let you know and will provide you with the changes that are required to fix this behavior.


This issue has been fixed. Please apply the attached .diff file to your installation in order to fix it.


The fix itself will be included in the upcoming version 4.15.2.

6d8f18913daab93294c5555b85a6e1540cd52f8f.diff (1.5 KB)

Could you please update link for diff?

I have reuploaded the diff. Thank you for bringing this to my attention!

1 Like