Skip to main content

Shopware CVE-2026-48010

MEDIUM
Improper Privilege Management (CWE-269)
2026-06-04 https://github.com/shopware/shopware GHSA-v39m-97p8-gqg7
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 04, 2026 - 19:46 vuln.today
Analysis Generated
Jun 04, 2026 - 19:46 vuln.today

DescriptionGitHub Advisory

UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field. A non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users, escalating to full admin access.

The Problem

In src/Core/Framework/Api/Controller/UserController.php, line 210-234:

php
public function upsertUser(?string $userId, Request $request, Context $context, ResponseFactoryInterface $factory): Response
{
    $data = $request->request->all(); // raw request data, no field filtering
    // ...
    $events = $context->scope(Context::SYSTEM_SCOPE, fn (Context $context) =>
        $this->userRepository->upsert([$data], $context)
    );
}

SYSTEM_SCOPE bypasses AclWriteValidator entirely (line 52 of AclWriteValidator::preValidate() returns early for SYSTEM_SCOPE). The admin boolean field is accepted without restriction.

Compare with IntegrationController::upsertIntegration() in the same codebase, which correctly checks:

php
if ((!$source instanceof AdminApiSource)
    || (!$source->isAdmin()
    && isset($data['admin']))
) {
    throw new PermissionDeniedException();
}

UserController is missing this exact check.

Impact

Any API user with the low-privilege user:create permission can create accounts with full admin access, or with user:update can promote any existing user to admin. This is a direct privilege escalation.

Suggested Fix

Add the same isAdmin() check from IntegrationController:

php
$source = $context->getSource();
if ((!$source instanceof AdminApiSource) || (!$source->isAdmin() && isset($data['admin']))) {
    throw new PermissionDeniedException();
}

Best regards, Keyvan Hardani

AnalysisAI

Privilege escalation in Shopware's Admin API allows authenticated users holding only the low-privilege user:create or user:update ACL to promote any account - including newly created ones - to full administrator access. The flaw exists in UserController::upsertUser() across composer packages shopware/platform and shopware/core, affecting all releases below 6.6.10.18 and the 6.7.x line below 6.7.10.1. Shopware has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is straightforward for any user with delegated user-management API access.

Technical ContextAI

Shopware is a PHP-based e-commerce platform. The vulnerable code path is UserController::upsertUser() (src/Core/Framework/Api/Controller/UserController.php, lines 210-234), which accepts raw request data via $request->request->all() without field filtering and then persists it inside Context::SYSTEM_SCOPE. The critical design flaw is that SYSTEM_SCOPE causes AclWriteValidator::preValidate() to return early (line 52), entirely bypassing ACL write validation. This means the admin boolean field - which grants unrestricted platform access - passes through to the user repository unvetted. CWE-269 (Improper Privilege Management) precisely describes the root cause: the application fails to enforce privilege boundaries when a lower-privileged actor supplies a privilege-elevating field. The sibling controller IntegrationController::upsertIntegration() demonstrates the correct pattern by explicitly calling $source->isAdmin() before permitting the admin field, confirming this is an implementation omission rather than an architectural limitation. Affected packages per Composer PURL are pkg:composer/shopware/platform and pkg:composer/shopware/core.

RemediationAI

The primary fix is to upgrade shopware/platform or shopware/core to version 6.6.10.18 (for 6.6.x deployments) or 6.7.10.1 (for 6.7.x deployments) via Composer: composer update shopware/platform or composer update shopware/core. Release notes and upgrade guidance are available at https://github.com/shopware/shopware/releases/tag/v6.6.10.18 and https://github.com/shopware/shopware/releases/tag/v6.7.10.1. If an immediate upgrade is not possible, the most effective compensating control is to audit and revoke user:create and user:update ACL permissions from all non-admin API integrations and user accounts, restricting these permissions to fully trusted admin accounts only - this eliminates the attack surface while accepting the operational trade-off of reduced delegation. Additionally, operators should audit existing user accounts for unexpected admin: true flags to detect any prior exploitation. There is no documented network-layer workaround since the API endpoint is legitimately used; access controls at the API permission level are the only viable interim mitigation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-48010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy