Skip to main content

Shopware CVE-2026-48012

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-04 https://github.com/shopware/shopware GHSA-4x3x-869w-xx3m
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 04, 2026 - 20:04 vuln.today
Analysis Generated
Jun 04, 2026 - 20:04 vuln.today

DescriptionGitHub Advisory

Description

This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In the validated behavior, the server does not restrict that fallback target to same-origin URLs, does not require a relative path, and does not reject dangerous schemes such as javascript:. As a result, an unauthenticated request can turn this endpoint into a reusable redirect primitive whose destination is fully controlled by attacker-supplied request metadata.

The security problem is not limited to a harmless navigation mismatch. The endpoint sits under /api/oauth/, which gives the redirect a trustworthy application-controlled origin and makes it suitable for phishing chains, branded redirect abuse, and cases where client software automatically follows redirects issued by a trusted host. The attached evidence also shows that the response is not only an HTTP 302 with a user-controlled Location header. The HTML body contains a matching meta refresh tag and redirect link built from the same attacker-controlled value. In the validated proof, the endpoint redirects to https://attacker.example/poc when that URL is supplied through Referer, and it also reflects javascript:alert(1) into Location and the HTML redirect body without any scheme filtering. This report therefore stays conservative and claims an open redirect with arbitrary redirect targets, while noting that the lack of scheme restrictions makes the behavior materially worse than a same-scheme external redirect.

Steps To Reproduce

  1. Start a local Shopware instance that exposes the vulnerable endpoint at http://127.0.0.1:8000/api/oauth/sso/auth. No login is required for the proof. The attached Python PoC already targets that base URL and is configured to send direct requests without following redirects automatically.
  2. Run the attached PoC with python3 poc_sso_referer_open_redirect.py. The script sends three requests to GET /api/oauth/sso/auth and records the raw responses as evidence files. The first request omits the Referer header entirely. The second request supplies Referer: https://attacker.example/poc. The third request supplies Referer: javascript:alert(1).
  3. Inspect the first recorded response in evidence/sso_redirect_no_referer.raw.txt. In the validated run, the endpoint returns 401 with the message Referrer not found. Cannot redirect. This shows that the code path being exercised is the unauthenticated fallback behavior that depends on Referer when the expected SSO state is missing.
  4. Inspect evidence/sso_redirect_https_redirect.raw.txt. In the validated run, the endpoint returns 302 and sets Location: https://attacker.example/poc. The HTML body also contains a meta refresh tag and redirect link pointing to the same external URL. This demonstrates that the server accepts an attacker-controlled external target and emits it as a redirect destination.
  5. Inspect evidence/sso_redirect_javascript_redirect.raw.txt. In the validated run, the endpoint again returns 302, but this time the response sets Location: javascript:alert(1). The HTML body mirrors the same javascript: target in both the meta refresh tag and the anchor. This demonstrates that the fallback redirect does not even enforce an http or https scheme restriction before constructing the response.
  6. Compare the PoC summary in evidence/poc_sso_referer_open_redirect.output.txt with the raw responses. The validated run shows 401 when no Referer is present, 302 to https://attacker.example/poc when an external HTTPS URL is supplied, and 302 to javascript:alert(1) when a dangerous scheme is supplied. That behavior confirms the endpoint can be used as an open redirect with an arbitrary redirect target controlled through Referer.

Recommendations

The endpoint should stop using Referer as a fallback redirect target when the expected SSO state is missing. If the application cannot complete the SSO flow because the required session state does not exist, it should return a fixed error response or redirect only to a fixed internal page that is not influenced by request headers. Referer is not a trustworthy source of navigation intent and should not be treated as an authorization or routing signal for security-sensitive redirect logic.

If the product needs to preserve a return destination, that destination should be derived from a server-generated state value or validated against a strict allowlist. At minimum, the code should reject non-HTTP schemes, reject scheme-relative targets such as //host, and reject absolute URLs that are not same-origin with the current Shopware instance. A regression test should cover the exact cases proven here: no Referer, an external HTTPS Referer, and a javascript: Referer, with assertions that none of the attacker-controlled values can be emitted into Location or the HTML redirect body.

Impact

The demonstrated impact is that an unauthenticated attacker can cause a trusted Shopware endpoint to emit arbitrary redirect targets chosen through the request's Referer header. In the minimum case, that enables standard open redirect abuse for phishing, brand impersonation, and redirect chaining through a legitimate application origin. Because the redirect is served from /api/oauth/sso/auth, the resulting URL can look more trustworthy than a generic off-site redirect and may be more likely to be followed by users or client software that expects the endpoint to participate in an authentication flow.

The validated evidence also shows that the endpoint does not restrict the redirect target to ordinary web URLs. It reflects javascript:alert(1) directly into Location and into the HTML redirect page. This report keeps the claim conservative and classifies the issue as an open redirect with arbitrary redirect targets, but the acceptance of dangerous schemes makes the behavior more severe than a simple same-browser redirect to another HTTPS site and increases the risk of downstream abuse depending on client behavior.

Note on submission channel:

I initially attempted to submit this issue through Shopware’s official security reporting form. The form backend returned HTTP 400 for normal submissions, and when an attachment was included it explicitly rejected .md, .py, .zip files with the message File type not allowed. Because the official form was not functioning correctly for me, I am submitting this report privately through GitHub’s vulnerability reporting flow.

AnalysisAI

Unauthenticated open redirect in Shopware's SSO entry point (GET /api/oauth/sso/auth) allows any remote attacker to cause a victim's browser to navigate to an arbitrary attacker-controlled URL - including javascript: URIs - by supplying a malicious Referer header. Affected are shopware/core and shopware/platform versions 6.7.3.0 through 6.7.10.0; the redirect is served from a trusted /api/oauth/ origin, materially increasing phishing credibility. A Python proof-of-concept demonstrating three distinct exploitation variants (no Referer, external HTTPS redirect, javascript: scheme injection) exists; no active exploitation is confirmed in CISA KEV at time of analysis.

Technical ContextAI

CWE-601 (URL Redirection to Untrusted Site / Open Redirect) describes the root cause: user-controlled input is incorporated into a redirect response without origin or scheme validation. The vulnerable code path is the fallback logic within GET /api/oauth/sso/auth - part of the OAuth SSO flow - that activates when no expected SSO session state is present. Instead of returning a fixed error, the application reads the HTTP Referer request header and uses its value verbatim to construct both the HTTP 302 Location header and an HTML body containing a meta refresh tag and anchor, neither of which enforces same-origin policy, requires a relative path, nor rejects non-http/https schemes such as javascript:. Affected packages are pkg:composer/shopware/core and pkg:composer/shopware/platform, versions >= 6.7.3.0 and < 6.7.10.1, running under PHP 8.2/8.4/8.5 on MySQL 8 or MariaDB 11 per the release notes.

RemediationAI

Upgrade shopware/core and shopware/platform to version 6.7.10.1, released via https://github.com/shopware/shopware/releases/tag/v6.7.10.1 and described in the security advisory at https://github.com/shopware/shopware/security/advisories/GHSA-4x3x-869w-xx3m. The vendor fix is the only confirmed remediation; no official workaround is documented. As a compensating control prior to patching, operators can configure a reverse proxy or WAF rule to reject or sanitize requests to GET /api/oauth/sso/auth that carry a Referer header pointing to an external origin - note that this may break legitimate SSO fallback flows if any business logic depends on Referer. Alternatively, if the SSO feature is not in use, disabling or restricting network access to the /api/oauth/sso/ path eliminates the attack surface entirely without functional impact. The vendor advisory also notes that v6.7.10.1 includes fixes for SVG upload active-content injection (GHSA-gv8p-48fr-4fxg) and external-link URL validation; operators should review the full release notes for additional security-relevant changes bundled in the same release.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-48012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy