Shopware CVE-2026-32100
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.
AnalysisAI
The Shopware /api/_info/config endpoint publicly discloses information about active security patches without authentication, allowing remote attackers to enumerate implemented security fixes and potentially identify applicable exploits for unpatched instances. This information disclosure affects Shopware versions prior to 2.0.16, 3.0.12, and 4.0.7, where no patch is currently available for earlier releases.
Technical ContextAI
Classified as CWE-200 (Information Exposure). Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.
Affected ProductsAI
Fixed in: 2
RemediationAI
Fixed in version 2.0.16. Restrict network access to the affected service where possible.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today