DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31888: CVE-2026-31888: Observable Response Discrepancy in Shopware Store API

#security #cve #cybersecurity

CVE-2026-31888: Observable Response Discrepancy in Shopware Store API

Vulnerability ID: CVE-2026-31888
CVSS Score: 5.3
Published: 2026-03-11

Shopware Open Commerce Platform is vulnerable to user enumeration via observable response discrepancies in the Store API login endpoint. An unauthenticated remote attacker can probe the /store-api/account/login endpoint to systematically identify registered customer accounts, facilitating targeted social engineering or subsequent password spraying attacks.

TL;DR

An unauthenticated user enumeration vulnerability exists in Shopware's Store API (/store-api/account/login) due to differing error responses and processing times for valid versus invalid accounts. Attackers can leverage this to compile lists of registered users.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-204 / CWE-208
  • Attack Vector: Network
  • Authentication Required: None
  • CVSS v3.1 Score: 5.3 (Medium)
  • Impact: Information Disclosure (User Enumeration)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Shopware Core
  • Shopware Platform
  • Shopware Core: < 6.6.10.15 (Fixed in: 6.6.10.15)
  • Shopware Core: >= 6.7.0.0, < 6.7.8.1 (Fixed in: 6.7.8.1)
  • Shopware Platform: < 6.6.10.14 (Fixed in: 6.6.10.14)
  • Shopware Platform: >= 6.7.0.0, < 6.7.8.1 (Fixed in: 6.7.8.1)

Mitigation Strategies

  • Update Shopware Core and Platform to the latest patched versions.
  • Implement robust rate limiting on the /store-api/account/login endpoint based on IP address and request volume.
  • Ensure Web Application Firewalls (WAF) monitor for abnormal volumes of 401/400 responses from the authentication endpoints.

Remediation Steps:

  1. Identify the deployed version of Shopware Core and Shopware Platform.
  2. If running Shopware Core < 6.6.10.15 or >= 6.7.0.0, < 6.7.8.1, schedule an immediate upgrade.
  3. Apply patch 6.6.10.15 or 6.7.8.1 for Core, and 6.6.10.14 or 6.7.8.1 for Platform via the standard deployment pipeline.
  4. Verify the fix by executing a test login request with a non-existent email and ensuring the response matches a generic authentication failure.

References

Read the full report for CVE-2026-31888 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)