DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31887: CVE-2026-31887: Incorrect Authorization in Shopware Store API Order Route

#security #cve #cybersecurity

CVE-2026-31887: Incorrect Authorization in Shopware Store API Order Route

Vulnerability ID: CVE-2026-31887
CVSS Score: 8.9
Published: 2026-03-11

CVE-2026-31887 is an Incorrect Authorization vulnerability in the Shopware commerce platform. The flaw resides in the store-api.order endpoint, allowing unauthenticated attackers to bypass Data Abstraction Layer (DAL) filters and extract sensitive Personal Identifiable Information (PII) belonging to other customers.

TL;DR

Unauthenticated attackers with a single valid deepLinkCode can inject arbitrary filters into the Shopware Store API to bypass access controls, exposing PII and order data of other customers.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863
  • Attack Vector: Network
  • CVSS Score: 8.9
  • Privileges Required: None
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • shopware/core
  • shopware/platform
  • shopware/core: < 6.7.8.1, >= 6.7.0.0 (Fixed in: 6.7.8.1)
  • shopware/core: < 6.6.10.15, >= 6.6.0.0 (Fixed in: 6.6.10.15)

Code Analysis

Commit: 92e57c2

Architectural Hardening: Secures AppSecretRotationController to prevent metadata leakage and restricts endpoint namespaces.

Mitigation Strategies

  • Update Shopware core to a patched version (6.6.10.15 or 6.7.8.1)
  • Implement strict Web Application Firewall (WAF) rules to drop requests containing extraneous filter definitions on the /store-api/order endpoint
  • Monitor database access logs for unusually complex or sequential Criteria queries targeting the order tables

Remediation Steps:

  1. Verify the current running version of Shopware.
  2. Schedule emergency maintenance to apply the vendor-provided patch.
  3. Apply updates via Composer (composer update shopware/core shopware/administration shopware/storefront).
  4. Clear the application cache to ensure updated routing rules are enforced.
  5. Audit access logs for anomalous POST requests to the /store-api/order endpoint matching the known exploit pattern.

References

Read the full report for CVE-2026-31887 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)