CVE-2026-31889
HIGH
GHSA-c4p7-rwrg-pf6p
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
3Description
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.
Analysis
Shopware versions before 6.6.10.15 and 6.7.8.1 contain an authentication bypass in the app registration flow that allows attackers to hijack the communication channel between a shop and third-party apps by re-registering with a controlled domain without domain ownership verification. An attacker with knowledge of the app secret can redirect app traffic and intercept API credentials intended for legitimate shops. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all registered third-party apps and document their integration points; implement IP whitelisting and network segmentation for app communication channels. Within 7 days: Contact Shopware support for interim guidance; disable non-critical app integrations if possible; increase monitoring of app-to-store API calls for anomalous activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today