Skip to main content

Shopware CVE-2026-31888

MEDIUM
Observable Response Discrepancy (CWE-204)
2026-03-11 security-advisories@github.com GHSA-gqc5-xv7m-gcjq
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:07 vuln.today
CVE Published
Mar 11, 2026 - 19:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not - indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

AnalysisAI

Shopware's Store API login endpoint (POST /store-api/account/login) leaks information about registered customer accounts by returning distinct error messages and echoing email addresses based on whether credentials belong to known users, enabling unauthenticated attackers to enumerate valid customer accounts. The vulnerability affects versions prior to 6.7.8.1 and 6.6.10.15, while the storefront login controller properly mitigates this issue, indicating inconsistent security controls. No patch is currently available.

Technical ContextAI

affects Shopware is an open commerce platform.. Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login contro

Affected ProductsAI

Product: Shopware is an open commerce platform.. Versions: up to 6.7.8.1.

RemediationAI

Fixed in version 6.7.8.1. Restrict network access to the affected service where possible.

Share

CVE-2026-31888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy