Skip to main content

Shopware CVE-2026-31889

HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-03-11 security-advisories@github.com GHSA-c4p7-rwrg-pf6p
8.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:07 vuln.today
CVE Published
Mar 11, 2026 - 20:16 nvd
HIGH 8.9

DescriptionGitHub Advisory

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.

AnalysisAI

Shopware versions before 6.6.10.15 and 6.7.8.1 contain an authentication bypass in the app registration flow that allows attackers to hijack the communication channel between a shop and third-party apps by re-registering with a controlled domain without domain ownership verification. An attacker with knowledge of the app secret can redirect app traffic and intercept API credentials intended for legitimate shops. This vulnerability affects all Shopware installations using the legacy app registration mechanism and currently has no available patch.

Technical ContextAI

This vulnerability (CWE-290: Authentication Bypass by Spoofing) affects Shopware is an open commerce platform.. Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or

Affected ProductsAI

Product: Shopware is an open commerce platform.. Versions: up to 6.6.10.15.

RemediationAI

Fixed in version 6.6.10.15. Restrict network access to the affected service where possible.

Share

CVE-2026-31889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy