DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25878: Open House at the Database: FroshPlatformAdminer Auth Bypass

#security #cve #cybersecurity

Open House at the Database: FroshPlatformAdminer Auth Bypass

Vulnerability ID: CVE-2026-25878
CVSS Score: 6.9
Published: 2026-02-10

A classic case of 'explicitly insecure configuration' found in the FroshPlatformAdminer plugin for Shopware. Developers explicitly disabled authentication checks on the primary Adminer route to make things 'easier', inadvertently exposing the entire database management interface to the public internet without a login prompt from the application.

TL;DR

The FroshPlatformAdminer plugin for Shopware (< 2.2.1) exposed the Adminer database management tool to unauthenticated users. The route was configured with auth_required => false, allowing anyone to access the database login UI. While database credentials were still required, this exposed critical infrastructure to brute-force attacks and potential Adminer-specific exploits.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-306 (Missing Authentication)
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network (AV:N)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Exploit Complexity: Low (AC:L)

Affected Systems

  • Shopware 6 (running FroshPlatformAdminer)
  • FroshPlatformAdminer < 2.2.1
  • FroshPlatformAdminer: < 2.2.1 (Fixed in: 2.2.1)

Code Analysis

Commit: c4dd6c3

Implementation of manual session-based authentication check for Adminer route

public function login(Request $request): JsonResponse
...
$_SESSION['frosh_adminer_authenticated'] = true;

public function index(): Response
...
if (empty($_SESSION['frosh_adminer_authenticated'])) { return new Response('Forbidden', Response::HTTP_FORBIDDEN); }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: The vulnerability is a direct configuration error; exploitation is achieved by simply browsing to the URL.

Mitigation Strategies

  • Update the Plugin immediately
  • Network Level Restriction
  • Defense in Depth

Remediation Steps:

  1. Navigate to your Shopware administration panel or use the Composer CLI.
  2. Update friendsofshopware/frosh-platform-adminer to version 2.2.1 or higher.
  3. Verify the update by visiting /admin/adminer in an incognito window. You should receive a 403 Forbidden or be redirected to the Shopware login.

References

Read the full report for CVE-2026-25878 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)