CVE-2026-31888

Medium CVSS: 5.3

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

Vendor

Shopware

Product

Shopware

CWE

CWE-204

Yayın Tarihi

2026-03-11 19:16:05

Güncelleme

2026-03-16 20:37:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-204 Shopware MEDIUM Shopware 2026

Referanslar

https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq

Benzer Kayıtlar

High

CVE-2026-31889

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration…

High

CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for una…

High

CVE-2026-23498

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array a…

High

CVE-2025-67648

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XS…

Medium

CVE-2025-7954

A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attack…

Medium

CVE-2025-51541

A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/d…